December 2, 2022

Volume XII, Number 336

Advertisement

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Digital Health 2021 Year in Review

DIGITAL HEALTH

The continuation of the COVID-19 public health emergency (PHE) and consumer demand for digitally delivered healthcare not only necessitated the shift from in-person to virtual care, but also continued to drive interest, adoption, investment and transactions in digital health in 2021. Digital health funding in 2021 far surpassed 2020’s totals, with no signs of slowing down in 2022, and the potential permanence of some regulatory flexibilities beyond the PHE are charting a course for continued digital health growth in 2022 and beyond.

TELEHEALTH UPDATES AND IMPLICATIONS FOR CY 2022

On November 2, 2021, the Centers for Medicare & Medicaid Services (CMS) published the calendar year (CY) 2022 Medicare Physician Fee Schedule (MPFS) final rule, which went into effect Jan. 1, 2022, and includes coverage extensions for certain telehealth services added during the COVID-19 PHE, such as:

  • Extension of coverage for services temporarily added to the Medicare telehealth services list (Category 3 services) through the end of CY 2023.

  • The permanent adoption of HCPCS Code G2252 for extended virtual check-ins, established on an interim basis in the CY 2021 MPFS.

While the final rule includes coverage for several new virtual care services in 2022, such as remote therapeutic monitoring (RTM), CMS did not approve requests to make these coverage extensions permanent. Per CMS, the extension of Category 3 services coverage through CY 2023 will allow more time for evaluation.

The final rule also includes multiple provisions for mental health telehealth services, including

  • Coverage for audio-only telehealth services in the patient’s home for the diagnosis, evaluation, or treatment of a mental health disorder, provided certain conditions are met, including the requirement of in-person visits at least every 12 months

  • Mental health telehealth visits can originate from within a patient’s home. As provided for under the Consolidated Appropriations Act, providers can offer mental health services via telehealth without complying with typical originating site and geographic restrictions, provided that certain conditions are met, including that the patient receive an in-person visit prior to the telehealth visit and at least every 12 months thereafter.

  • For Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs), CMS is allowing audio-video and audio-only telehealth services for the purposes of diagnosis, evaluation, or treatment of a mental health disorder.

  • Physicians can deliver Opioid Use Disorder (OUD) therapy and counselling services using audio-only technology, in instances where two-way video is not available

TELEHEALTH REGULATORY UPDATES TO WATCH FOR IN 2022:

There are still many regulatory unknowns that will take shape in the coming months. For example, expect to see ongoing changes in telehealth coverage policies, affecting not only general medical and behavioral healthcare, but an increasing number of specialties.

There are still many regulatory unknowns that will take shape in the coming months. For example, expect to see ongoing changes in telehealth coverage policies, affecting not only general medical and behavioral healthcare but an increasing number of specialties. Providers using teledentistry and teleoptometry, for example, must stay up-to-date on the latest regulations to ensure they are operating in a consistent, complaint manner and are adequately prepared for changes if/when the PHE telehealth waivers are lifted.

Another open matter in the ongoing PHE (and thereafter) relates to enforcement of the Ryan Haight Act, which requires practitioners issuing a prescription for a controlled substance to conduct an in-person medical evaluation or conduct a video/audio communication in a DEA-registered facility. The Drug Enforcement Administration (DEA) initially loosened remote prescribing restrictions of Schedule II through Schedule V controlled substances in January 2020, allowing providers to electronically prescribe controlled substances without first conducting an in-person examination during the PHE, provided certain conditions are met. Despite the relaxation of this requirement at the federal level, providers must ensure that they continue to comply with state law requirements for controlled substances – which may independently require an in-person examination.

At the state level, as of January 2022, 42 states and the District of Columbia already have telemedicine parity language in place, with others following suit. However, given that states reimburse at different rates, mental health and telehealth businesses looking to expand to other states should do their research on reimbursement rates across the country to increase stability and chart the most strategic course for growth. States continue to update their telehealth laws and regulations, frequently providing clarification and sometimes loosening licensing requirements making it easier for out-of-state practitioners to provide services. The environment remains a patchwork, however, and careful review of state licensing and prescribing requirements remains necessary.

Going forward, providers must track regulatory developments related to the prescription of controlled substances and enforcement of original provisions in the Ryan Haight Act as well as state-level developments.

The industry must also watch for potential permanent fixes to originating site and geographic restrictions on Medicare telehealth coverage, which have been proposed in The Telehealth Modernization Act of 2021 (HR 1332) and the CONNECT for Health Act of 2021 (S 1512).

INTEROPERABILITY AND DATA SHARING

With the Cures Act’s information blocking provision now in full swing, regulated organizations must have the capabilities in place to share healthcare data. Organizations that interfere with the access, exchange, or use of electronic health information (EHI) are subject to penalties. The law excludes practices required by applicable law(s) or if they meet an exception established by the Department of Health and Human Services (HHS) Secretary.

Important upcoming deadlines include:

  • Through October 5, 2022, the provision only applies to data elements represented in the United States Core Data for Interoperability (USCDI Version 1).

  • On and after October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in § 171.102.

“Organizations regulated by the Cures Act information blocking provision should take steps to ensure EHI is prepared to comply with October 2022 deadlines.”

To prepare for October 2022, the Department of Health and Human Services’ (DHHS) Office of the National Coordinator for Health IT (ONC) recommends that the regulated community:

  • Subject to applicable HIPAA requirements, share more EHI than required in the USCDI Version 1, if possible, and not wait to begin doing so.

  • Have a goal of making all EHI available as soon as possible, as if the scope of EHI were not currently limited.

HIPAA ENFORCEMENT DISCRETION

In January 2021, the United States Department of Health and Human Services, Office for Civil Rights (OCR) announced a notification of enforcement discretion relating to certain aspects of HIPAA that provides Covered Entities some flexibility in providing remote care during the PHE. Specifically:

  • The OCR will not impose penalties for non-compliance with the regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth services, regardless of whether the services are related to diagnosis and treatment of health conditions associated with COVID-19.

  • A covered health care provider that chooses to use audio or video communication technology to provide telehealth to patients during the PHE may use any non-public facing remote communication product that is available to communicate with patients.

HHS also published proposed modifications to HIPAA in early 2021. It is possible that some of these changes intended to increase permissible disclosures of PHI, improve care coordination and case management and increase individual access to PHI will be adopted in 2022, and will have a ripple effect throughout healthcare payer and provider organizations’ compliance departments. For example, the modifications would necessitate updates to policies and procedures, business associate agreements, notices of privacy practices and other HIPAA-related compliance issues.

“It is possible that some of these changes… will have a ripple effect throughout healthcare payer and provider organizations’ compliance departments.”

HEALTH BREACH NOTIFICATION RULE

On September 15, 2021, the Federal Trade Commission (FTC) voted to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318. This rule applies to health apps and connected devices that are not subject to HIPAA, but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs) that connect to other services on a device, like a calendar app.

The FTC’s latest position on the Health Breach Notification Rule for digital health apps and connected devices is as follows:

  • Developers of mobile health apps or connected devices are “healthcare providers” for purposes of the rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and

  • Any mobile health app is covered by the rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source

This policy has broad implications for consumer mobile health, wellness, fitness and other apps that fall within the scope of this new guidance. For example, a covered app developer’s disclosure of individually identifiable health information to a thirdparty analytics provider without the consumer’s authorization likely triggers the breach notification provisions of the rule, unless the entity “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”

To ensure compliance, developers of mobile health apps and connected devices should continue to evaluate their products and services in light of this policy statement and resulting enforcement activity, and should consider whether to obtain individual authorization for disclosures of individually identifiable health information made by the developer.

This policy has broad implications for consumer mobile health, wellness, fitness and other apps that fall within the scope of this new guidance.

STATE-LEVEL PRIVACY AND CONSUMER DATA PROTECTION LAWS

With an array of new consumer privacy laws set to take effect in 2023, in-house counsel and privacy professionals have their work cut out for them in aligning their businesses with the expanding patchwork of state laws. As an initial step, digital health companies should evaluate whether they meet the applicability requirements for their state’s particular laws, including whether they qualify for an exemption from the law because the health information they hold is regulated by HIPAA or other applicable state health information privacy laws.

To date, three states have enacted new consumer data protection laws that will go into effect in 2023. The Colorado Privacy Act (CPA) will take effect July 1, 2023, just six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA), the successor to the California Consumer Privacy Act, become effective.

For digital health companies that are subject to these laws, an important second step will be evaluating exposure to the new “sensitive data” requirements by updating or creating data maps that include sensitive data categories covered by these laws, establishing process for responding to consumer requests and updating privacy policies and notices to accurately reflect data collection and use practices. Finally, companies should be careful not to design their programs too narrowly. State legislative activity is expected to pick back up when many state legislatures reconvene in early 2022, so with future developments in mind, companies should focus on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.

State legislative activity is expected to pick back up when many state legislatures reconvene in early 2022, so with future developments in mind, companies should focus on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.

MEDICARE PROMOTING INTEROPERABILITY PROGRAM

CMS also released updates to its Medicare Promoting Interoperability Program in 2021, an initiative focused on improving data exchange and EHR usability for better patient safety. Some of the biggest update implications for hospitals and health system reporting requirements include:

  • Hospitals participating in the interoperability program must finish ONC's Safety Assurance Factors for EHR Resilience Guides beginning in 2022.

  • Eligible hospitals complete an annual self-assessment of their EHRs using ONC-sponsored safety guidelines.

  • Retaining the public health registry reporting and clinical data registry reporting measures for hospitals, making them optional and available for bonus points beginning with the EHR reporting period in CY 2022.

  • See here for full details.

Hospitals and health systems should be prepared to work closely with their EHR vendor partners and legal experts to ensure compliance with CMS' new rules.

NEW TECHNOLOGY ADD-ON PAYMENT (NTAP) UPDATES

On August 2, 2021, CMS issued the final rule for FY 2022 Medicare Hospital Inpatient Prospective Payment System (IPPS) and Long-Term Care Hospital (LTCH) Prospective Payment System (PPS).

The final rule includes a variety of updates intended to improve hospital and health system readiness and response to PHEs, including:

  • New Technology Add-on Payment (NTAP) extension: CMS granted a one-year extension for 13 technologies for which the new technology add-on payment would otherwise be discontinued beginning FY 2022. Medicare will reimburse up to an additional 65 percent (75 percent for certain antimicrobials) of the cost of the approved new technology, plus the applicable MS-DRG payment rate

  • New COVID-19 Treatments Add-on Payment (NCTAP) extension: CMS is extending the NCTAP for eligible COVID-19 products through the end of the fiscal year in which the PHE ends. When applicable, hospitals will be eligible to receive both NCTAP and the NTAP, with the new technology add-on payment reducing the NCTAP amount accordingly.

  • NTAP technology additions for FY 2022: CMS approved 19 technologies that were submitted for NTAP for FY 2022, including 9 technologies under the alternative pathway for new medical devices that are part of the FDA Breakthrough Devices Program. See here for more detailed information.

WHAT TO WATCH IN DIGITAL HEALTH DEALMAKING, DEVELOPMENT AND ADOPTION

Given the rapidly changing healthcare environment and increasing reliance on digital health solutions, providers, payors, employers and solutions developers must pay careful attention to the shifting regulatory landscape. Business imperatives should include the following:

  • Clearly defined and empowered governance and operating structure in place at the enterprise level to ensure proper oversight of digital projects while enabling swift execution and improvement.

  • Executive champions and individuals focused on overseeing the implementation of digital projects and dedicated teams focused on digital program design, launch, optimization, and user experience.

  • Functional support teams (e.g., IT, legal, finance, clinical) in place, as well as teams focused on agile program development and realtime program performance tracking.

  • Defining success and measuring outcomes at every stage of product development and implementation, including when navigating vendor relationships.

As the digital health boom continues in 2022, there are a variety of legal, clinical, operational regulations that healthcare organizations must carefully track, evaluate, and prepare for going forward. Without proper due diligence, organizations risk being in a perfect storm of regulatory non-compliance, at risk of incurring fines, harming patients, causing breaches of fiduciary duties, harming institutions, and deal termination.

As the digital health boom continues in 2022, there are a variety of legal, clinical, operational regulations that healthcare organizations must carefully track, evaluate, and prepare for going forward.

2022 DIGITAL HEALTH OUTLOOK

In 2022, we can expect to see ongoing investor interest and strategic dealmaking with companies specializing in telehealth, remote patient monitoring and other platform-based solutions that focus on improving care access and engagement. We will also continue to see a high volume of M&A activity and digital health adoption, with a focus on solutions that enable value-based care, and the policy implications to support it. Against this backdrop of competitive dealmaking, digital health companies and their investors must also keep a close eye on the evolving regulatory landscape impacting the space.

Sam Siegried also contributed to this article.

© 2022 McDermott Will & EmeryNational Law Review, Volume XII, Number 68
Advertisement
Advertisement
Advertisement

About this Author

Lisa Schmitz Mazur, Health Law Attorney, McDermott Will Law Firm
Partner

Lisa Schmitz Mazur is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Lisa maintains a general health industry practice, focusing on the representation of hospitals and health systems and other health industry providers.

Lisa’s representation of hospitals and health systems includes providing guidance on not-for-profit corporate governance matters, tax-exemption issues, conflict of interest compliance and overall corporate compliance effectiveness.  In addition, Lisa regularly assists hospital and health system clients to...

312-984-3275
Partner

Stephen W. Bernstein is a partner in the law firm of McDermott Will & Emery LLP and is based in the Boston office.  He is head of the Firm’s Health Industry Advisory Practice Group.  He specializes in e-health, deployment of electronic health record systems, health related matters impacted by the Internet and HIPAA, as well as mergers, acquisitions, affiliations and joint ventures in the hospital and physician areas. Stephen has particular experience working with regional electronic health record collaborations as well as pharmaceutical, biotech, device companies,...

617 535 4062
Dale Van Demark, health care, attorney, McDermott Will, law firm
Partner

Dale C. Van Demark is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Washington, D.C., office.  He focuses his practice on a broad array of merger, acquisition, investment, and strategic structuring transactions, with clients in the health industry. He has extensive experience in health system affiliation and restructuring transactions and regularly represents for-profit and tax-exempt clients in a variety of transactions, including strategic transactions with physicians and hospitals. He regularly advises clients regarding the opportunities...

202-756-8177
Stacey L. Callaghan Healthcare and Private Equity Attorney McDermott Will & Emery Chicago, IL
Associate

Stacey Callaghan counsels healthcare and private equity clients as they navigate transactional, regulatory and compliance issues. She focuses on assisting health systems, physician organizations and other healthcare providers through compliance with HIPAA and other privacy laws, fraud and abuse issues, and governance matters. She is also experienced in executing transactions in the healthcare space, and routinely guides clients through joint ventures and mergers and acquisitions.

Prior to joining McDermott, Stacey was a healthcare associate at a large US-based law firm. She is a...

312-277-7688
Patrick Zanayed Associate Chicago Healthcare  Healthcare Mergers & Acquisitions  Healthcare Regulatory & Compliance  Hospitals, Health Systems & Medical Groups
Associate

Patrick Zanayed represents private equity funds, telehealth start-ups, strategic investors, ambulatory surgery centers, behavioral health facilities and physician practices in a variety of transactional and regulatory matters.

Patrick has assisted clients in connection with numerous transactions, including mergers, acquisitions, dissolutions, and management and professional service arrangements, as well as the creation of multi-state physician practice management and telehealth structures. He also regularly advises clients with respect to corporate practice of medicine laws, state...

312-984-2029
Advertisement
Advertisement
Advertisement