4. HIPAA Generally
> Health Insurance Portability and Accountability Act
of 1996
> The Privacy Regulations under HIPAA govern the
use and disclosure of most health information held
by Covered Entities.
> The Security Regulations protect health information
from unauthorized people.
> Covered Entities are:
- Health Plans (e.g., Medicare and Medicaid, Employer Health Plans,
HMOs and other commercial plans, and CHAMPUS)
- Health Care Clearinghouses (e.g., billing agent)
- Health Care Providers who conduct certain electronic transactions
(almost all physicians and hospitals)
4
5. Privacy Rule vs. Security Rule
Privacy Standard(s) Security Standard(s)
> Minimum use- payment & > Access control
operations, not treatment > Authentication
> Notice of Privacy > Network Controls
Practices/Designated > Training
Record Set
> Reasonable safeguards
> Incidental use and
disclosure if and only if… > Workstation controls: use;
location (physical and technical)
> Verification of requestor
> Authentication/ Authorization
> Sanctions
> Audit trails
> Business Associate
Contracts > Chain-of-Trust Agreements
5
6. HIPAA Privacy Rule
> Permitted Uses and Disclosures
- A covered entity is permitted, but not required, to
use and disclose protected health information,
without an individual’s authorization, for the
following purposes or situations:
- To the Individual (unless required for access or accounting
of disclosures);
- Treatment, Payment, and Health Care Operations;
- Opportunity to Agree or Object;
- Incident to an otherwise use and disclosure
- Public Interest and Benefit Activities
6
7. HIPAA Privacy Rule (con’t)
> Requires covered entities to:
- Obtain authorization for special additional uses of PHI
- Designate a privacy official
- Develop policies and procedures (including receiving
complaints)
- Provide privacy training to their workforce
- Develop a system of sanctions for employees who violate
the entity’s policies
- Meet documentation requirements
- Implement appropriate administrative, technical, &
physical safeguards to protect privacy
7
8. HIPAA Security Requirements
> 3 Basic types of safeguards:
- Administrative
- How to deactivate access
- When is activity logged
- Physical
- Where are devices located
- How is physical access to systems and/or ePHI
accomplished
- Technical
- What is electronic?
- Encryption
8
9. HIPAA Security Rule
> Ensure the confidentiality, integrity, and
availability of all electronic PHI
> ePHI
- Any electronic protected health information
created by a health care provider, health plan,
public health authority, employer, life insurer,
school or university.
- It identifies who you are
- Individually Identifiable Health Information
- Examples: name, street address, social security
number, zip code, condition/disease, etc.
9
10. HIPAA Security Rule (con’t’)
> Covered entities are required to:
- Assess potential risks and vulnerabilities
- Protect against threats to information
security or integrity, and against
unauthorized use or disclosure
- Implement and maintain security measures
that are appropriate to their needs,
capabilities and circumstances
- Ensure compliance with these safeguards
by all staff
10
11. HIPAA Issues Unique to Telehealth Services
> Security of technology necessary in telemedicine
- Use of Skype and similar technology to provide telehealth
services
> Distribution of the Notice of Privacy Practice to patient, if the
health care provider is not a member of the patient site
workforce
> HIPAA privacy training/education if the health care provider is
a member of the patient site workforce
> Business associate agreements with technical providers
(non-covered entities) who assist with the delivery of
healthcare by telemedicine
> Telehealth consultations may require additional non-clinical
personnel, such as technicians and camera operators, who
do not participate in traditional medical care
11
13. Anti-Kickback Statute
> It is a crime to knowingly and willfully solicit,
receive, offer, or pay remuneration of any kind
(money, goods or services) for the referral of an
individual to another for the purpose of supplying
services that are covered by a Federal Health care
Program; or purchasing, leasing, ordering, or
arranging for any good, facility, service, or item that
is covered by a Federal health care program (42
U.S.C. § 1320a-7b(b))
- Civil and criminal penalties
- Safe harbors
13
14. Safe Harbors
> Immunize certain payment and business
practices that are implicated by the anti-
kickback statute from criminal and civil
prosecution under the statute
> Most common safe harbors for telehealth
- Space Rental Safe Harbor
- Equipment Rental Safe Harbor
- Personal Services and Management Contracts
Safe Harbor
- Bona Fide Employees' Safe Harbor
14
15. Common Anti-Kickback Telehealth Issue
> The provision of subsidized or free
equipment
- Does an originating site’s subsidization of the
capital and/or operating costs result in referrals
(directly or indirectly)?
15
16. Kickback Analysis
> Did something of value get offered, requested,
exchange hands?
> If so, was the conduct willful?
> Did the provider’s treatment pattern change?
> Were patients switched because of the kickback?
> If yes, were they consulted, told about the inducement?
> Did the parties know about the anti-kickback statute?
> If so, is there a safe harbor?
> If so, was some or all of the expected/desired business
paid for by a federal health care program?
16
17. STARK Self-Referral Law
> The federal Stark physician self-referral law
generally prohibits a physician from making
referrals to an entity for any of eleven (11)
designated health services if the physician
(or an immediate family member) has a
―financial relationship‖ with the entity (42
U.S.C. § 1395nn)
17
19. Medical Malpractice & Telehealth
> Malpractice generally
- Duty
- Breach
- Causation
- Damages
> Standard of care
- Local v. state v. national v. international
- Specialist v. generalist
- Expert witnesses
- Qualifying
- Evidence-based guidelines?
- A question of fact for the jury
19
20. Liability Concerns
> Areas of main concern
- Affirmative errors
- Acts or omissions
- Failure to treat
- Treating physician at originating site does not
use telemedicine services – can such failing
lead to liability on the part of physician ,
originating site facility
20
22. Credentialing & Privileging Overview
> Credentialing
- Reviewing and confirming a provider’s credentials and
other documentation:
- Education
- Licensure
- Certifications
- Insurance
- National Practitioner Data Bank
- References
- Third party verification organizations
> Privileging
- Scope and content of patient care services to be authorized
for a provider by a health care organization.
- Based on an evaluation of the provider's credentials and
performance
- Peer review
22
23. Credentialing & Privileging:
Issues for Telehealth
> Who is responsible for conducting
credentialing and privileging—
- Originating site?
- Distant site?
> Joint Commission
- Allowed credentialing & privileging by ―proxy‖.
- Accredited JC hospital could rely on the
credentialing and privileging conducted by the
distant JC-accredited facility.
23
24. Credentialing & Privileging:
Issues for Telehealth (continued)
> CMS Original Position:
- May use third party verification organizations for
credentialing
- Cannot use third parties for privileging
- All hospitals who engage in telehealth must privilege
each health care practitioner providing services to its
patients as if the practitioner were on site
> Final Rule
- Expected clearance—mid April, 2011
- Proposed rule allowed for a ―remote‖
credentialing and privileging process
24
26. Online Prescribing Overview
> States have different approaches
- Two-thirds of states—
- Require an in-person evaluation or physical
examination before prescribing online; or
- Permit physicians to prescribe online only if there is a
preexisting patient relationship.
- Many states prohibit online prescribing based
solely on information from an online
questionnaire.
- Some states regulate online prescribing through
pharmacy laws
- Most pharmacy laws do not permit prescriptions based
solely on an online questionnaire.
Source: Preliminary data from CTeL: 50 State Internet Prescribing Legal Report
26
27. Virginia Statute
> Permits a physician to prescribe medication to a
patient as long as there is a bona-fide physician
patient relationship
- Bona-fide physician-patient relationship means the
physician needs to conduct a physical exam of the patient
- Exam can take place ―physically or by the use of
instrumentation and diagnostic equipment through which
images and medical records may be transmitted
electronically‖
> Language specifically applies to controlled
substances
- State board indicates applies to all substances
27
29. Licensure
> States required to monitor the practice of
professionals within their boundaries
- State medical boards responsible for regulating
physicians and other health care providers
within state.
> Licensure is the process by which states
validate providers’ credentials.
- Confirm a provider competent to practice
medicine.
29
30. Licensure (continued)
> Licensure as applied to telemedicine
- Regulations apply to physicians and other providers who
practice telemedicine between health care facilities in
different states
> State licensure restrictions run counter to
telemedicine, which transcends geographical
boundaries
- Patient to Doctor or Doctor to Patient?
> Practitioners are often subject to the licensure laws
of both states – state where they are located and
the state where they are administering the care
30
31. Types of Licensure
> 2 categories of licensure
- Full license
- 21 states require telehealth providers to seek a full
medical license
- Telehealth provider also required to meet other state
requirements including:
- Paying substantial licensure fees
- Passing additional oral and written examinations,
- 11-Limited/Special/Telemedicine license
- Reciprocity between states for telehealth providers
- Limited administrative requirements
31
32. Licensure Consultation Exception
> Many states have consultation exception
- Physician not licensed in that particular state
can practice medicine in consultation with a
referring in-state physician.
- Scope varies from state to state
- All states allow for consultations
- Six states specifically limit consultation
- Many consultation exceptions not developed
with telehealth in mind.
32