Chapter 24: Legal and Regulatory Issues

The Practice of Medicine via Telehealth Technologies

The practice of medicine via telehealth carries with it myriad opportunities as well as unique challenges. One area of particular attention is legal and regulatory compliance. No longer may health care providers follow only the law of their single “home” state as they expand to offer services to patients located across the country and the world. Just as telehealth requires its own tailored clinical approaches, so, too, does it require specific legal solutions and business structures designed to fully harness the promise of telehealth while remaining compliant with the complex universe of state and federal laws. This chapter addresses some of the key legal and regulatory issues in telehealth.

Telehealth and State Licensing

It is widely understood and accepted that in order to practice medicine, an individual must have a license. Licensing is a state law issue, and medical boards have jurisdiction over physician licensing. For telehealth services, licensing rules and applicable state medical practice laws are based not on the location of the physician, but rather the location of the patient at the time of the consult. For example, a physician licensed in New York and providing telehealth services to a patient located in Florida must have a license to practice medicine in Florida (or otherwise meet a licensure exception).

With the development of telehealth practices sweeping across geographic boundaries, licensure has become more of an impediment than it has been in the past. Patients want access to the best specialists, regardless of where they are located. They already have the technology to receive those consults. However, licensure remains a requirement and, for many, an administrative burden (although not insurmountable).

Attempts are underway to help streamline medical licensing. The most notable is the Federation of State Medical Board's Interstate Licensing Compact. This offers a uniform, fast-track option for a physician to obtain multiple licenses in the participating compact states. Thus far (October 2016), 17 states have passed laws to join the compact. States also offer a number of exceptions to licensure, allowing a doctor licensed in one state to deliver care (typically on a limited basis) to patients in the state where the doctor is not licensed. Some exceptions include medical emergencies and disasters, neighboring/border states, follow-up care, free “curbside” informal consults, and peer-to-peer consultations. Although certain exceptions exist in every state, they vary significantly, and providers should carefully understand the requirements or else risk unlicensed practice of medicine.

Telehealth and the Standard of Care

Fundamental to the practice of medicine, whether in person or via telehealth, is to meet the standard of care and deliver high-quality services. To that end, providers should adhere to the same standard of care in telehealth settings as they would when delivering care in person. Thus, labs, vitals, physicals, and any other information obtained in the in-person setting should be obtained when delivering care via telehealth.

Indeed, nearly every state expressly or implicitly holds that treatment recommendations made via telehealth, including issuing a prescription via electronic means, are held to the same standards of appropriate practice as those in traditional in-person settings. Although not every state requires real-time audio-video telehealth, the majority have laws stating that issuing a prescription based solely on an online questionnaire does not constitute an acceptable standard of care.

Telehealth Practice Standards

A number of states have promulgated telehealth practice standards. Not to be confused with the standard of care or scope of practice, telehealth practice standards are largely arbitrary rules and requirements providers must follow when practicing medicine via telehealth and often do not apply to in-person care. Examples of practice standards include patient informed consent to telehealth services, specific disclosures on the provider's website, mandatory forwarding of the patient's medical records to the patient's other caregivers, restrictions on the type of telehealth technology/modality that can be used, and requirements for in-person examinations. These practice standards may be well intended, but they often restrict the ability of providers to innovate in health care delivery. Moreover, it is entirely possible to meet every telehealth practice standard, yet fail to deliver services in accordance with the standard of care (and vice versa). Nonetheless, providers must understand and adhere to state practice standards, as failing to do so can expose them to board of medicine sanctions.

Remote Prescribing of Drugs and Controlled Substances

State Laws

The majority of states permit a physician to prescribe medication following a telehealth examination (also known as remote prescribing). In general, prescribing must occur in connection with a valid doctor–patient relationship, although some states offer narrow exceptions for situations such as cross-coverage and emergencies. There is always a risk that a board of medicine could sanction a physician for prescribing drugs without conducting an appropriate examination (in-person or otherwise), but that risk is based primarily on the clinical situation of the specific patient and whether or not the physician conducted an examination sufficient to meet the standard of care. All prescribing must be done for a legitimate medical purpose by a practitioner acting in the usual course of his or her professional practice. An arrangement where a provider conducts a real-time audio-video exam after reviewing the patient's lab results and medical records is widely considered a gold-standard approach to telehealth. ¹ It might also involve an initial in-person exam of the patient, as appropriate, but a preference (or long-term approach) is to eliminate the need for an arbitrary in-person exam under state law.

Significant policy headway for remote prescribing has been achieved over the past five years, and the next frontier is remote prescribing of controlled substances. This is a more complex legal issue, as state laws tend to be more restrictive regarding controlled substances compared to other medications, and providers must navigate overlapping state medical practice laws, pharmacy board laws, state controlled substance diversion laws, and federal laws and regulations under the Drug Enforcement Agency (DEA). In some states, an in-person examination is not necessarily a prerequisite to prescribe controlled substances. In those states, a physician may create a valid doctor–patient relationship, conduct an examination of the patient via telehealth, and issue a prescription. A prescribing physician must review and comply with both state and federal laws, and federal laws supersede state law unless state law is more restrictive.

Federal Laws and the Federal Ryan Haight Act

The current federal regulations on remote prescribing of controlled substances are more restrictive than many state laws. The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (Ryan Haight Act) amended the federal Controlled Substances Act by adding a series of new regulatory requirements and criminal provisions designed to combat the proliferation of so-called “rogue Internet sites” that unlawfully dispensed controlled substances by means of the Internet. The act was enacted on October 15, 2008, and became effective April 13, 2009. The DEA issued regulations effective that same date. ²

The Ryan Haight Act prohibits distributing, dispensing, or delivery of controlled substances by means of the “Internet” (a broadly defined term) without a valid prescription. ³ The act, for the first time, imposed a federal in-person physical examination requirement by the prescribing practitioner, to be conducted prior to the first prescription. The act essentially constitutes a nationwide prohibition on form-only online prescribing (medical records–based prescribing) for controlled substances. Although the act was intended to target “rogue” Internet pharmacies, the broad language requires legitimate telehealth providers who engage in remote prescribing of controlled substances to review the regulations to ensure compliance. The provisions of the act do not apply to remote prescribing of any and all prescription drugs—only controlled substances.

A prescription for a controlled substance is not valid or effective unless it is issued for a legitimate medical purpose by an individual practitioner acting in the usual course of his professional practice. ⁴ Federal regulations require the physician to have a license to practice medicine in the state where the patient is located at the time of the consult. The responsibility for the proper prescribing and dispensing of controlled substances is on the prescribing practitioner. A physician who engages in the unauthorized practice of medicine under state law is not acting in the usual course of his or her professional practice and thus violates federal law. ⁵

With respect to telehealth practices and remote prescribing, no controlled substance may be delivered, distributed, or dispensed by means of the Internet without a valid prescription. ⁶ The term “valid prescription” means a prescription that is issued for a legitimate medical purpose in the usual course of professional practice by 1) a practitioner who has conducted at least one in-person medical evaluation of the patient or 2) a covering practitioner. ⁷ The term “in-person medical evaluation” means a medical evaluation that is conducted with the patient in the physical presence of the practitioner, without regard to whether portions of the evaluation are conducted by other health professionals. ⁸ Once the prescribing practitioner has conducted an in-person medical evaluation, the regulation does not set an expiration period or a requirement for subsequent annual examinations.

The regulations offer seven “telemedicine” exceptions to the in-person exam requirement, but they are very narrow and do not reflect contemporary accepted clinical telehealth remote prescribing practices. ⁹ They are:

1. The patient is being treated in a DEA-registered hospital or clinic.

2. The patient is being treated in the physical presence of a DEA-registered practitioner.

3. The telemedicine consult is conducted by a DEA-registered practitioner for the Indian Health Service and who is designated as an Internet Eligible Controlled Substances Provider by the DEA.

4. The telemedicine consult is conducted during a public health emergency declared by the Secretary of the U.S. Department of Health and Human Services (HHS).

5. The telemedicine consult is conducted by a practitioner who has obtained a DEA special registration for telemedicine.

6. The telemedicine consult is conducted by a Veterans Health Administration (VHA) practitioner during a medical emergency recognized by the VHA.

7. The telemedicine consult is conducted under other circumstances specified by future DEA regulations.

Some of the exceptions, on their face, are of limited use to most providers (eg, VHA, public health emergency, Indian tribal organization). One exception requires a patient-side telepresenter also registered with the DEA (and presumably independently able to prescribe controlled substances for the patient). Another exception allows the physician to prescribe controlled substances without an in-person evaluation if (1) the patient is treated by and physically located in a hospital or clinic that has a valid DEA registration and (2) the telemedicine practitioner is treating the patient in the usual course of professional practice, in accordance with state law, and with a valid DEA registration (this registration must also be in the state where the patient is located). The DEA announced plans to draft a proposed rule that will create a special registration process allowing physicians to remotely prescribe controlled substances without an in-person exam. The proposed rule is expected to be published in January 2017. ¹⁰

Managing Telehealth Tort Liability

Tort liability for telehealth is rooted in negligence (a breach of duty in the doctor–patient relationship) and is generally a state-law issue. As a general rule, states allow a patient to bring a malpractice claim in the courts of their resident state against a nonresident provider who practices telehealth in the patient's state. Although malpractice claims have been brought against providers for many years, much less is known of telehealth lawsuits compared to those arising in an in-person setting because only a fraction of the total malpractice claims involve telehealth. Moreover, the majority of malpractice claims (telehealth or otherwise) are resolved via confidential settlement agreements and are not reported in public court records.

A direct-to-patient model for telehealth services would need to create a valid doctor–patient relationship as a predicate for the medical services provided to the patient. To that end, telehealth providers should take steps to clarify and document the scope of services and the doctor–patient relationship. Providers should also consider including disclaimers and acknowledgements in the terms of use agreement signed by the patient when utilizing the telehealth services. Other steps taken by some telehealth companies to manage tort liability are as follows:

• Regularly poll patients to assess their satisfaction levels with the telehealth services, including the level of responsiveness and attention provided by the medical professionals. If a particular professional receives more than his or her share of complaints, it could be an indication of risk, as professionals who leave patients dissatisfied may be more frequent targets of malpractice complaints.

• A provider might require in its contracts/employment agreements with its professionals that each professional notify the provider group within three days of any complaints or requests for records from a patient or their legal representative.

• Providers should take the time to understand and follow the applicable laws and guidance (including but not limited to licensing, scope of practice, and fraud and abuse) in each state where the provider group offers telehealth services.

• Provide services only in states where the group's professionals are licensed/registered.

• Providers should understand and incorporate industry practice guidelines and standards as appropriate, such as the practice guidelines published by the American Telemedicine Association.

• Providers should allow sufficient information, resources, etc., for telehealth consults to be provided in accordance with accepted standards of care and clinical practice.

• Providers should document patient understanding of terms of use, limitations, and associated conditions.

• Providers should understand and follow the requirements and rules for telehealth informed consent in each state where the provider offers services.

Telehealth Malpractice Insurance Coverage

Many malpractice insurers have provisions in their agreements that provide malpractice coverage for telehealth services. Others expressly exclude it unless the covered entity affirmatively requests it be added. Some insurers retain the right to selectively deny coverage. Common reasons for selective denial of coverage include 1) the patient or service provided is not located in a state where the insurance company is licensed; 2) the provider/exposure presents an above-average risk; or 3) the coverage disallows telehealth direct patient care, but does allow peer-to-peer consultations. Ultimately, malpractice insurance is regulated at the state level, and this is not always compatible with multistate telehealth practices.

Some malpractice policies only cover encounters within the state in which the provider practices and is licensed. Consequently, providers who offer telehealth services to patients in states in which they are unlicensed risk uninsured claims under the terms of the carrier's policy. Moreover, some carriers assert they are only required to cover claims against providers when the provider is performing health care services in the state where the carrier contractually agreed to cover the provider. Some carriers also offer separate policies (or add-ons) if the telehealth service is only interpretive (eg, telepathology, teleradiology) in a peer-to-peer consultation setting and not a direct-to-patient model.

A provider can take certain steps to better guarantee it will have meaningful malpractice insurance coverage for its telehealth-based physician services:

• Select a carrier that offers a well-defined and thoughtful telehealth malpractice coverage product.

• Verify the malpractice carrier is licensed as an insurer in all the states where the provider group wants to provide telehealth services (ie, where the patients are located).

• Verify the malpractice policy itself extends coverage to all the states (and countries, if international) where the provider group wants to provide services.

• Obtain written assurances from the carrier that the malpractice liability insurance policy covers telehealth malpractice lawsuits.

• Verify the policy includes coverage for claims brought by a patient's estate.

• Verify the policy includes coverage for claims brought by a state licensing board or state department of health against the provider for standard of care and regulatory compliance issues.

• Determine if the policy is occurrence based rather than claims made, so tail coverage is included in the policy premium (if that is desired).

• In general, many providers are experiencing premiums for telehealth services at far lower costs than premiums for in-person services. The incidence of claims filed has been low, and the insurance premium price reflects that. Providers should be able to negotiate competitive rates for telehealth coverage.

Other Laws and Regulations for Telehealth Providers

Corporate Law Issues and the Practice of Medicine

When building a direct-to-consumer telehealth service, one of the fundamental areas to address is the planned geographic footprint of the offering. Many practitioners are comfortable and experienced in creating a provider group within their home state, but telehealth providers routinely seek to avail themselves of the advantage that their patient base can be nationwide or even global. No longer is the provider's patient footprint limited to the zip codes surrounding their brick-and-mortar location. However, this means the provider will be subject to, and must comply with, the laws of all states in which it delivers services.

When preparing the provider's corporate documents, an initial issue to address is the prohibition on the corporate practice of medicine. Generally, the prohibition on the corporate practice of medicine prevents an entity from delivering medical services or employing physicians if the entity is owned by lay persons (ie, nonphysicians). This is a state law issue, and some states have no prohibition on the corporate practice of medicine. Some states with a notable enforcement history regarding the prohibition on the corporate practice of medicine include California, Colorado, New Jersey, New York, Tennessee, and Texas. Some states offer certain exemptions from this rule for hospitals, charitable foundations, and the like. For example, Florida law allows a lay person to own a medical group if the group successfully completes a site survey and obtains a Health Care Clinic license. ¹¹

When deploying a national direct-to-consumer telehealth offering, scalability is key. Maximizing the homogeneity of the provider's operations, processes, and corporate functions enables the provider to realize efficiencies and cost savings.

One approach gaining traction among telehealth provider groups is the use of a “friendly PC” arrangement. This is a particularly attractive option for telehealth providers founded by nonphysicians or that plan to seek external capital funding resulting in lay ownership. The friendly PC model frequently involves two entities: an investor-owned management services organization (MSO) and a professional corporation owned by a single physician owner (the PC or medical group). The MSO and the PC have a management services agreement under which the MSO provides certain services to the PC, and the PC in turn compensates the MSO. The compensation methodology under the management services agreement must also comply with state law on fee splitting, all payor antikickback statutes, and patient brokering laws.

Simply because a physician owner is licensed to practice medicine in one state does not mean that the physician can own a medical group in another state. Indeed, more than half the states require the owner of a medical group to hold a license to practice medicine in that state. Thus, a direct-to-consumer medical group seeking to provide services across all 50 states will need to have a physician owner licensed in many of those states or use an otherwise legally compliant approach.

In addition to medical board rules regarding physician ownership and corporate practice of medicine, legal counsel must know the corporate law and entity creation rules of every state where the telehealth provider plans to do business. Whereas some states allow a foreign PC to qualify to do business as a foreign corporation, other states do not.

Federal Fraud and Abuse Laws

Telehealth arrangements involving any federal health care program dollars (eg, Medicare, Medicaid) must comply with applicable federal fraud and abuse laws, including the Stark Law and the Anti-Kickback Statute. ¹²

The Stark Law prohibits a physician (or immediate family member) from referring Medicare/Medicaid patients for certain designated health services (DHS) to entities with which the physician (or immediate family member) has a financial relationship, unless the arrangement meets a specific exception under the law. ¹³ If a telehealth arrangement or contract is subject to the Stark Law, it must meet an exception, as the Stark Law is a strict liability statute.

The federal Anti-Kickback Statute makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce referrals of items or services reimbursable by federal health care programs. ¹⁴ The term “remuneration” includes the transfer of anything of value, in cash or in kind, directly or indirectly, covertly or overtly. ¹⁵ The Anti-Kickback Statute has been interpreted to cover any arrangement where one purpose of the remuneration was to obtain money for the referral of services or to induce further referrals. ¹⁶ Violation of the Anti-Kickback Statute can also trigger false claims liability for the purposes of the federal False Claims Act. The statute ascribes criminal liability to parties on both sides of an impermissible “kickback” transaction. Violation of the Anti-Kickback Statute constitutes a felony punishable by a maximum fine of $25,000, imprisonment up to five years, or both. Conviction will also lead to automatic exclusion from federal health care programs, including Medicare and Medicaid.

If a telehealth arrangement potentially implicates the Anti-Kickback Statute, the parties should see if the contract can be structured to fit within an applicable safe harbor. The safe harbor regulations define practices that are not subject to the Anti-Kickback Statute because such practices would be unlikely to result in fraud or abuse. ¹⁷ The safe harbors include specific conditions that, if met, assure the parties will not be prosecuted or sanctioned for the arrangement. Safe harbor protection is afforded only to those arrangements that precisely meet all of the conditions in the specific safe harbor.

An arrangement that does not meet a safe harbor is not necessarily unlawful or illegal. Such arrangements require a detailed examination of the surrounding factual background and intent of the parties. Generally, the closer an arrangement can be structured to mirror as many possible elements of a safe harbor, the better. In addition, parties oftentimes build additional safeguards into the arrangement, designed to reduce the risk of fraud and abuse and the likelihood of an enforcement action. ¹⁸

State Antikickback, Fee Splitting, and Patient Brokering Laws

As of October 2016, 29 states have all-payor antikickback statutes (sometimes known as “patient brokering statutes”), which function like the federal Anti-Kickback Statute but apply no matter the source of payment (eg, commercial insurance, self-pay, cash). Four additional states have such statutes applicable to commercial insurers but not cash payment. The primary purpose of these statutes is to prohibit payments for referrals of patients or health care items or services. This means a telehealth provider cannot simply avoid antikickback issues by not accepting Medicare or Medicaid dollars.

For example, the Florida Patient Brokering Act prohibits “any person, including any health care provider or health care facility to offer or pay any commission, bonus, rebate, kickback, or bribe, directly or indirectly, in cash or in kind, or engage in any split-fee arrangement, in any form whatsoever, to induce the referral of patients or patronage to or from a health care provider or health care facility.” Similarly, the act prohibits anyone from “[s]olicit[ing] or receive[ing] any commission, bonus, rebate, kickback, or bribe, directly or indirectly, in cash or in kind, or engag[ing] in any split-fee arrangement, in any form whatsoever, in return for referring patients or patronage to or from a health care provider or health care facility.” Unlike its federal counterpart, the Patient Brokering Act applies no matter the source of payment. This means that even if no federal health care program dollars are involved, the Patient Brokering Act can still apply. However, if a discount, payment, waiver of payment, or payment practice is not prohibited under the federal Anti-Kickback Statute, the practice does not violate the Patient Brokering Act.

Compared to the Office of Inspector General's (OIG) enforcement of the federal Anti-Kickback Statute, state all-payor antikickback statutes are not as frequently enforced by state regulators and attorneys general. However, despite the relative lack of state government enforcement of these laws, a trend is gaining traction wherein commercial health plans are using these laws as grounds to file commercial unfair trade practices suits against providers who have been paid claims by the insurer when those claims have been generated by practices or arrangements violating state patient brokering laws.

Privacy and Security

Whether delivering care in person or via telehealth, health care providers must adhere to federal and state laws regarding privacy and security of patient health care information. Complying with these laws can present a set of challenges when much of the care is electronic and data are stored in the cloud. Providers should have policies and procedures to comply with Health Insurance Portability and Accountability Act (HIPAA), state law, and potential cybersecurity threats. These issues are not unique to telehealth providers, and there are solutions and legal approaches to better ensure compliance in multistate or international medical practices.

Online Telehealth Services and Federal Communications Commission Rules

Telehealth providers using online platforms and apps to communicate directly with patients must also be cognizant of and comply with laws regarding phone communications and online services. Among these are the need to use properly structured patient consents and agreements with valid e-sign capability, appropriate terms of use (for patients and providers using the telehealth platform), and an online privacy policy properly tailored to the provider's actual privacy practices. With the proliferation of patient direct communications, alerts, and pings, the Federal Communications Commission (FCC) and the Telephone Consumer Protection Act (TCPA) comes into play for online medical service companies. ¹⁹

The TCPA not only restricts telemarketing calls, automatic telephone dialing systems, and prerecorded voice messages, but restricts text messages as well. The law was implemented in 1992, but was revised in 2012 to create additional customer protections, including the requirement to obtain express written consent from the customer.

The good news for telehealth providers is the TCPA contains a health care exception. Health care providers can send prerecorded voice and text messages, without the patient's prior express consent, in order to convey important “health care messages.” These exemptions include health care messages relating to appointments and exams, confirmations and reminders, wellness checkups, hospital pre-registration instructions, preoperative instructions, lab results, postdischarge follow-up intended to prevent readmission, prescription notifications, and home health care instructions. However, even when delivering the exempt health care messages, providers must still abide by various technical requirements in order to comply with the TCPA. For example, calls and messages are strictly limited to the purposes permitted earlier; must not include any telemarketing, solicitation, or advertising; may not include accounting, billing, debt collection, or other financial content; and must comply with HIPAA privacy rules.

Subscription Fee Models and Insurance Laws

An emerging area of interest among direct-to-consumer telehealth offerings is the use of a subscription model. Under this model, the patient pays a monthly fee (eg, $99/month) in exchange for unlimited telehealth consults. This is an alternative to the traditional fee-for-service or encounter-based payment. The subscription can cover an individual or a family. A subscription offering can be quite attractive to patients and constitute a source of recurring revenue for the provider. However, it is not without its own legal and regulatory issues.

One issue for subscription models is the risk the telehealth provider would be deemed to be offering health insurance by state insurance regulators. The business of insurance is broadly defined under state laws and typically means the assumption of risk from a number of consumers and the distribution of risk across those consumers. One type of risk is “utilization risk”—the risk that consumers will use more telehealth consults than their $99/month subscription fee actually pays for. This is the primary risk insured against by traditional health insurance (and the reason insurance companies have monetary capitalization requirements based on their number of members). State insurance regulators police businesses that could be providing insurance without appropriate licensure, both in response to consumer or competitor complaints and on their own initiative. A subscription model for telehealth services should be assessed to avoid the risk of it being deemed a small-scale health insurance offering.

For example, Florida Statutes Section 624.02 defines “insurance” as “a contract whereby one undertakes to indemnify another or pay or allow a specified amount or a determinable benefit upon determinable contingencies.” The case, Liberty Care Plan v. Dep’t of Insurance (710 So.2d 202 (Fla. App. 1998)), addressed the question of whether Liberty's product met the definition of insurance under Florida law. Liberty sold a membership that entitled members to purchase home health care services at a discount of approximately 50% from the market price for such services in Florida at the time. The court found that the membership was insurance, writing: “The Plan is a contract whereby appellant undertakes to allow a determinable benefit (i.e., home health care services at discount rates) upon a determinable contingency (i.e., the member's exercise of the option to purchase these home health care services at discount rates).”

Compare Florida's statute to Texas law, which enacted a “direct primary care” statute in 2015 expressly permitting such subscription arrangements and holding them outside the definition of insurance. ²⁰ The provisions of this law exempt direct primary care (including maintenance of mental health) from regulation as insurance. Although the law specifically applies to physicians, it is silent regarding other health care professionals. Other states have enacted these “direct primary care” statutes, including, for example, Kansas, Washington, and Utah.

Hospital Telehealth Credentialing and Privileging

Centers for Medicare & Medicaid Services (CMS) Conditions of Participation and Joint Commission Standards require hospitals to have a credentialing and privileging process for physicians and practitioners providing services to the hospital's patients, including those who provide services via telehealth. Federal regulations offer a process for streamlined credentialing of telehealth practitioners. ²¹ This process is commonly referred to as “credentialing by proxy.” It permits the hospital receiving the telehealth services (known as the “originating site” hospital) to rely on the privileging and credentialing decisions made by the hospital or entity providing the telehealth services (known as the “distant site” hospital or “distant site telemedicine entity,” respectively), provided certain requirements are met.

The originating site hospital can use credentialing by proxy when the telemedicine services are provided by a practitioner located at 1) a Medicare-participating distant site hospital or 2) another entity providing telemedicine services (a “distant site telemedicine entity” or “DSTE”). A DSTE is an entity that 1) provides telehealth services; 2) is not a Medicare-participating hospital; and 3) provides contracted services in a manner that enables the originating site hospital to meet all applicable Conditions of Participation, particularly those requirements related to the credentialing and privileging of telehealth practitioners. ²² A DSTE may be a physician group, a non–Medicare-participating hospital, or other nonhospital telehealth provider. ²³ The DSTE rules are used when the provider of telehealth services is not a hospital.

In order to utilize credentialing by proxy, the originating site hospital must enter into a contract with the distant site hospital or DSTE, reflecting and confirming certain requirements (noted later). ²⁴ The governing body of the originating site hospital always retains ultimate authority over privileging decisions regarding telehealth practitioners. The medical staff bylaws must include provisions for credentialing by proxy, and hospitals can consider using the opportunity to create a separate telemedicine staff classification if desired (with accompanying limits on telemedicine staff responsibilities and rights).

1. The distant site hospital or DSTE uses a credentialing and privileging program that meets or exceeds the Medicare standards hospitals have traditionally been required to use.

2. The individual practitioners providing services via telemedicine to the originating site hospital have been privileged at the distant site hospital or DSTE.

3. The distant site hospital or DSTE provides the originating site hospital with a list of the current privileges for the telemedicine practitioners.

4. The individual practitioners providing telemedicine services are licensed to practice in the state where the originating site hospital is located.

5. The originating site hospital periodically reviews the services provided to its patients by the telemedicine practitioners and reports this information to the distant site hospital or DSTE for use in performance evaluations. At a minimum, these reports must include all adverse events or complaints related to each telemedicine practitioner's services provided at the originating site hospital.

6. For contracts with DSTEs only, the agreement must also state the DSTE is a contractor of services to the originating site hospital, which furnishes contracted telemedicine services in a manner that permits the originating site hospital to comply with all applicable Conditions of Participation.

Credentialing by proxy requires the parties to share information regarding credentialing decisions, as well as periodic updates of practitioner reviews and assessments. Providers should be cognizant of state laws regarding peer review decisions, confidentiality, and practitioner disciplinary actions, as well as professional review activities under the federal Health Care Quality Improvement Act. ²⁵ Even if a hospital enters into a credentialing by proxy agreement, it is not required to use that process for all (or any) telehealth practitioners. It retains the option to use the traditional credentialing process if desired. Moreover, depending on the nature of the telehealth service and the originating site hospital's bylaws, the distant site practitioner need not be credentialed at the originating site, as CMS recognizes there are certain situations when credentialing is not required. Providers should conduct a thoughtful assessment of any proposed telehealth arrangement to determine whether or not credentialing is necessary.

Telehealth Payment Policy and Reimbursement

Medicare Coverage of Telehealth Services

Medicare does cover telehealth services, but is currently very limited, and the definitions and restrictions are established in statute by Congress. ²⁶ For eligible telehealth services, the use of a telecommunications system is a substitute for an in-person encounter.

In general, Medicare imposes five conditions of coverage on telehealth services:

1. The beneficiary is located in a qualifying rural area at the time of the consult.

2. The beneficiary is located at one of eight qualifying facilities (“originating sites”) at the time of the consult.

3. The telehealth services are provided by one of ten professionals eligible to furnish and receive Medicare payment for telehealth services (“distant site practitioners”).

4. The beneficiary and distant site practitioner communicate via an interactive audio and video telecommunications system that permits real-time communication between the beneficiary and the distant site provider.

5. The CPT/HCPCS (Current Procedural Terminology/Healthcare Common Procedure Coding System) code for the service itself is named on the CY2016 (or current year) list of covered Medicare telehealth services.

In order to bill Medicare for telehealth services, the provider must fully comply with each of the telehealth requirements. If the telehealth arrangement does not meet each of these requirements, the service is statutorily noncovered, and the Medicare program will not pay for the service. ²⁷ To certify each of these elements have been met, the distant site practitioner must add the GT modifier when billing the claim (the practitioner adds the GQ modifier for asynchronous services in Alaska and Hawaii).

Rural Geographic Restrictions

Under the Medicare conditions of payment for telehealth services, the patient must be located at a qualifying originating site (in a rural health care professional shortage area [HPSA] outside a metropolitan statistical area [MSA], or in a rural census tract, or a county outside of an MSA). This effectively renders facilities located in urban areas unable to qualify as an originating site and therefore ineligible for Medicare coverage of services to beneficiaries via telehealth. Entities participating in a federal telehealth demonstration project approved by or receiving funding from the Secretary of HHS as of December 31, 2000, qualify as originating sites regardless of geographic location. Such entities are not required to be in a rural HPSA or non-MSA. Recognizing the confusion and limitation this restriction has generated, HHS created a website where a beneficiary or provider can enter a zip code and determine whether or not the geographic location is potentially eligible for Medicare coverage of telehealth services. It is called the “Medicare Telehealth Payment Eligibility Analyzer” and is available at http://datawarehouse.hrsa.gov/tools/analyzers/geo/Telehealth.aspx.

Originating Site Restrictions

Not only must the beneficiary be located in a qualifying rural area at the time of the consult, the beneficiary must be located at one of eight qualifying originating sites. Eligible originating sites are:

• Offices of a physician or practitioner

• Hospitals

• Critical access hospitals

• Community mental health centers

• Skilled nursing facilities

• Rural health clinics

• Federally qualified health centers

• Hospital-based or critical access hospital (CAH)–based renal dialysis centers (including satellites) ²⁸

If a beneficiary receives telehealth services while at his or her home (Place of Service [POS] 12), those telehealth services are not covered by Medicare. ²⁹ Many patients choose telehealth services for the convenience and access they offer as an alternative to driving to a practitioner's office and sitting in the waiting room. Accordingly, many telehealth offerings are built around making the services available to patients “on demand” at their home, workplace, or in the evenings. These services would not be covered by Medicare because a beneficiary located at home is not at one of the eight qualifying originating sites.

Eligible Distant Site Practitioners

Even if the first two requirements are met and the beneficiary is located at an eligible rural area and a qualifying originating site, the services themselves must be provided by a qualified distant site practitioner eligible to furnish and receive Medicare payment for telehealth services. Eligible distant site practitioners are:

• Physicians

• Nurse practitioners (NPs)

• Physician assistants (PAs)

• Nurse-midwives

• Clinical nurse specialists (CNSs)

• Certified registered nurse anesthetists

• Clinical psychologists (CPs) and clinical social workers (CSWs) (although CPs and CSWs cannot bill for psychiatric diagnostic interview examinations with medical services or medical evaluation and management services under Medicare)

• Registered dietitians or nutrition professionals ³⁰

This list of 10 eligible practitioners is defined by statute. ³¹ If a beneficiary receives telehealth services from a practitioner other than those listed here, the service is not covered by Medicare. Many patients enjoy telehealth services from other practitioners or specialty providers (eg, RNs, occupational therapists, physical therapists). Currently, services provided by such professionals would not be covered by Medicare because that distant site practitioner is not among the 10 listed types.

Eligible Telecommunications Technology

The Medicare coverage rules require the beneficiary and distant site practitioner to communicate via an interactive audio and video telecommunications system that permits real-time communication between the beneficiary and the distant site provider. ³² This means the practitioner may not use audio-only, store-and-forward, or other message-based communications if the services are to be covered by Medicare. There is a minor exception allowing asynchronous store-and-forward technology in federal telehealth demonstration programs in Alaska or Hawaii.

Eligible CPT/HCPCS Codes

Finally, the service itself must be listed among the eligible CPT/HCPCS codes CMS publishes each year as covered telehealth services. In CY2016, there are approximately 37 covered services (with approximately 50 associated codes). Unless a service is listed among the approved service codes for telehealth services, Medicare will not cover the service if provided via telehealth. ³³

The result of Medicare's restrictive telehealth law has been narrow coverage and few claims submitted. For example, in CY2015, Medicare paid a total of $17.6 million for telehealth service claims, compared to an overall $600 billion Medicare program budget. At the same time, patient demand for the convenience and access to care offered by telehealth services has created a willingness for patients (including Medicare beneficiaries) to self-pay out of pocket to enjoy the benefits of these new technologies. ³⁴

Medicaid Coverage of Telehealth Services

Medicaid coverage of telehealth services varies significantly across states, but almost every state Medicaid program offers some coverage of telehealth services. Highlights include the following:

• Forty-eight state Medicaid programs offer coverage for interactive live video telehealth services.

• Nine state Medicaid programs offer coverage of asynchronous (store-and-forward) telehealth services, not including states that only cover teleradiology.

• Sixteen state Medicaid programs offer coverage for remote patient monitoring.

• Thirty state Medicaid programs pay an additional transmission or facility fee when telehealth is used.

• Ten states impose some form of geographic requirement, restricting telehealth coverage to rural or underserved areas, or require a certain amount of distance between the originating site and the distant site.

• Twenty-three states impose originating site restrictions limiting coverage to when the patient is located at a specific list of facilities. ³⁵

Commercial Health Insurance Coverage of Telehealth Services

Currently, 31 states and the District of Columbia have enacted telehealth commercial insurance coverage laws, and bills are under development in several other states. These laws are generally referred to as “telehealth commercial payer statutes” or “telehealth parity statutes.” They are designed to promote patient access to care via telehealth, whether the patient is in a rural area without specialist care or a busy metropolitan city without the time to leave work or the home and devote three or more hours to an in-person check-up in a crowded waiting room. There are significant variances across the 31 states, but two related but distinct concepts have emerged: telehealth coverage and telehealth payment parity.

Telehealth Commercial Coverage Laws

Telehealth coverage laws require health plans to cover services provided via telehealth to the same extent the plan already covers the services if provided through an in-person visit. The laws do not mandate the health plan provide entirely new service lines or specialties, and the scope of services in the enrollee's member benefit package remains unchanged. The only difference is that the patient can elect to see his or her doctor via telehealth rather than be compelled to drive to the doctor's waiting room for an in-person consult.

Telehealth coverage laws also frequently include language to protect patients from cost-shifting. They disallow health plans from imposing different deductibles, copayments, or maximum benefit caps for services provided via telehealth. Any deductibles, copayments, and benefit caps apply equally and identically whether the patient receives the care in-person or via telehealth. Such language prevents the patient from being saddled with higher copayments to access care via telehealth.

Some states, particularly those that have enacted telehealth coverage laws in the last few years, have elected to expand on telehealth coverage by also requiring health plans to cover remote patient monitoring. Remote patient monitoring includes a variety of patient oversight and communications devices, software, and processes to allow providers a greater ability to monitor patient care needs and immediately respond. States have taken this step because remote patient monitoring, by definition, is a virtual distance-based service and does not have an in-person equivalent that would likely already be found in a member's benefit package.

States that have enacted telehealth commercial insurance coverage laws as of October 2016 are:

1. Alaska

2. Arizona

3. Arkansas

4. California

5. Colorado

6. Connecticut

7. District of Columbia

8. Delaware

9. Georgia

10. Hawaii

11. Indiana

12. Kentucky

13. Louisiana

14. Maine

15. Missouri

16. Michigan

17. Minnesota

18. Mississippi

19. Missouri

20. Montana

21. Nevada

22. New Hampshire

23. New Mexico

24. New York

25. Oklahoma

26. Oregon

27. Rhode Island (effective Jan. 1, 2018)

28. Tennessee

29. Texas

30. Vermont

31. Virginia

32. Washington (effective Jan. 1, 2017)

Telehealth Payment Parity Laws

Telehealth payment parity enables providers for telehealth services to be reimbursed at the same or equivalent rate the health plan pays the provider when the service is provided in person. For example, assume a doctor's participation agreement with a health plan reimburses the doctor $100 for a patient exam. With a payment parity law, the health plan pays the doctor $100 whether he provides the service in person or via telehealth, so long as the doctor does not agree to accept a lower rate (or alternative payment model) for services provided via telehealth under the provider agreement. If the agreed-upon contract rate is $30 for the in-person service, it is also typically $30 for telehealth. Payment parity does not change the plan's existing utilization review processes. The doctor's services (whether in person or via telehealth) must still be of high quality, appropriately documented, and medically necessary in order to be paid.

Payment parity is, in part, a response to avoid the problem of health plans paying for telehealth services at only a percentage of the in-person rate or imposing restrictive conditions on telehealth. This situation currently exists in many states that enacted a telehealth coverage statute but failed to include payment parity language, including New York in 2016. The result: a telehealth payment statute that is largely useless after the fanfare of the legislation's signing ceremony. Payment parity is intended to level the field for providers to enter into meaningful negotiations with health plans as to how telehealth services are covered and paid.

Minnesota's telehealth insurance law includes both coverage and payment parity. ³⁶ It states, in pertinent part, as follows:

• A health plan […] shall include coverage for telemedicine benefits in the same manner as any other benefits covered under the policy, plan, or contract, and shall comply with the regulations of this section.

• A health carrier shall not exclude a service for coverage solely because the service is provided via telemedicine and is not provided through in-person consultation or contact between a licensed health care provider and a patient.

• A health carrier shall reimburse the distant site licensed health care provider for covered services delivered via telemedicine on the same basis and at the same rate as the health carrier would apply to those services if the services had been delivered in person by the distant site licensed health care provider.

• It is not a violation of this subdivision for a health carrier to include a deductible, co-payment, or coinsurance requirement for a health care service provided via telemedicine, provided that the deductible, co-payment, or coinsurance is not in addition to, and does not exceed, the deductible, co-payment, or coinsurance applicable if the same services were provided through in-person contact.

The multitude of federal and state laws and regulations can often intimidate new (and existing!) telehealth providers. However, scalable, efficient solutions are out there. A compliant telehealth arrangement frequently requires legal counsel with specific experience and expertise developing and creating these new arrangements and business models.