Archive for Technology

The FTC Expands Notification Requirements for Health Breaches on Health Apps

The FTC Expands Notification Requirements for Health Breaches on Health Apps

By: Ashton Brock, Burr & Forman LLP

On April 26, 2024, the Federal Trade Commission (FTC) published a final rule aiming to clarify the current Health Breach Notification Rule (HBN Rule), giving greater protections and expanding breach notification requirements for vendors of personal health information who are not regulated by HIPAA. Pursuant to the FTC, this final rule is designed to strengthen and modernize the HBN Rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

To start, the FTC first developed a breach notification rule for consumer-facing entities that are not HIPPA covered entities or business associates in 2009 when the American Recovery and Reinvestment Act of 2009 granted them the rulemaking authority to do so. The FTC’s first version of its HBN Rule was limited. Although limited, its goal was to hold accountable those entities existing in the market that offered personal health record (PHR) services which were not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA). This first rule required that PHR related entities notify impacted consumers, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health information. 

Now however, the FTC has clarified and expanded the initial rule to broaden protections and notice requirements to include health apps and similar technologies. As such, physicians should pay particular attention to this updated HBN Rule if they are involved in the development of apps or in any way related to the information that is collected on these apps. Specifically, the updated rule finalized changes that include: 

  • Revising definitions of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies;”
  • Clarifying what a “breach of security” is, to state that it includes unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of a PHR related entity. This is two-fold, starting with making clear that the final rule covers entities that offer products and services through online services, including mobile applications, of vendors of PHRs, and then further makes clear that only entities that access or send unsecured identifiable health information to a PHR — rather than entities that access or send any information to a PHR — qualify as PHR related entities; 
  • Clarifying what it means for a PHR to draw PHR identifiable heath information from multiple sources; 
  • Expanding consumer notice requirements, now stating that the notice must include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security; 
  • Changing the time requirement, stating that for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and 
  • Improving the rules readability to promote compliance.

All in all, the final rule seeks to clarify and broaden the reach of the HBN Rule to keep up with the ever-changing innovations in the healthcare industry. This includes health apps or websites that offer products or services solely through online services or mobile applications and that both send and receive identifiable health information, like fitness trackers and wearable blood pressure monitors. Now, these apps or websites are required to alert their vendors of their status as a PHR related entity or vendor of PHR in order to put vendors on notice of the potential implications under the Rule.

The final rule becomes effective 60 days after publication in the Federal Register. With breaches of the HBN Rule subject to civil penalties under Section 18 of the FTC Act, physicians should immediately review the final rule’s requirements if you have not already done so. For the full rule, see https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule.

Ashton Brock is an Associate at Burr & Forman LLP. Ashton may be reached at (205) 458-5340 or abrock@burr.com.

Posted in: Legal Watch, Technology

Leave a Comment (0) →

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Tracking A Patient’s Every Move: HIPAA Compliance Risk

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices. 

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology. 

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure. 

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.” 

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible. 

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

Proposed Penalties for Information Blocking Violations

Proposed Penalties for Information Blocking Violations

By: Kelli C. Fleming, Esq. with Burr & Forman LLP

On October 30, 2023, the Department of Health and Human Services (“HHS”) released a proposed rule establishing penalties against healthcare providers who violate the information-blocking rules implemented under the 21st Century Cures Act. The information blocking rules prohibit a healthcare provider, among other “actors” as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set (“EHI”), unless the action is required by law or an applicable legal exception is met. The information blocking rules apply to any request for EHI from any requestor, not just a request to access information from patients.

Currently, there are no penalties against healthcare providers for violating the information-blocking rules. The latest information-blocking proposed rule aims to change that by allowing for payment disincentives for healthcare providers who violate the information-blocking rules. For eligible hospitals and critical access hospitals, the disincentives include not being able to be deemed a meaningful EHR user in the applicable EHR reporting period. For eligible individual providers, the disincentives include not being able to be deemed a meaningful user of certified EHR technology in a performance period and therefore receiving a zero score in the Promoting Interoperability performance category of MIPS. For accountable care organizations and their participants, the disincentives include not being able to participate as an ACO for at least a year. 

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The proposed rule regarding the information blocking disincentives is currently available for public comment. Written or electronic comments must be received on or before January 2, 2024.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: Legal Watch, Technology

Leave a Comment (0) →

Online Tracking Tools—Be Cautious.

Online Tracking Tools—Be Cautious.

By: Kelli C. Fleming, Esq., Burr & Forman LLP

The Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) recently teamed up to warn several healthcare providers about the privacy and security risks affiliated with online tracking technologies. According to the warning, these online tracking technologies may, under certain circumstances, be improperly disclosing protected health information (“PHI”) to third-parties or using such information for impermissible purposes.

Third-party tracking technologies, for example, Google Analytics, collect information about how users, oftentimes patients, interact with a provider’s website. Once collected, such information may be sent to the third-party who developed such technologies or used for marketing purposes without patient authorization. The unauthorized disclosure of this information to third-parties and the use of this information for marketing purposes could violate both HIPAA and the FTC Act. Providers who use a third-party website developer are unfortunately sometimes unaware that such technologies are even being used on their websites.

Indicating that online tracking is an area of priority, OCR issued guidance regarding online tracking technologies in December 2022. This guidance provides a general overview of how HIPAA applies to a provider’s use of online tracking technologies by addressing the following: (1) what is a tracking technology; (2) how does HIPAA apply to regulated entities’ use of tracking technologies; (3) tracking on user-authenticated webpages; (4) tracking on unauthenticated webpages; (5) tracking within mobile apps; and (6) HIPAA compliance obligations for regulated entities when using tracking technologies. This guidance is available at https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html. 

In addition to agency enforcement, lawsuits are starting to be filed for violations of privacy and confidentiality due to improper uses and disclosures stemming from online tracking technologies. Thus, providers utilizing online tracking tools or allowing website developers to use such tools should closely review the relevant guidance to ensure that any disclosures and uses are appropriate. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: Legal Watch, Technology

Leave a Comment (0) →

No Honor Among Thieves

No Honor Among Thieves

Most Americans will likely never forget where they were in March of 2020 when the world seemingly shut down.  While many used that time to reflect, enjoyed down time with family or even binge watched streaming services, health care workers geared up to save the lives of people impacted by COVID-19.  The novelty of this coronavirus posed exceptional challenges, placed unparalleled strain on the health care industry and exposed vulnerabilities.

One vulnerability in particular has, does and will continue to be a significant risk.  That threat is cybercrime.  It is as relentless as it is lucrative, and it has taken the health care industry by storm during a time when resources are low, and distractions are high.

DIGITAL CALM BEFORE THE STORM

In an almost unbelievable twist, some major cybercrime groups promised a “ceasefire” on cybersecurity attacks of the health care industry at the beginning of the pandemic.  DoppelPaymer Ransomware stated that they “always try to avoid hospitals…nursing homes” but if they happened to be responsible for a ransomware attack of a health care provider during the pandemic, they would provide a decryptor key free of charge. Likewise, Nefilim Ransomware took the same approach.  However, groups like Netwalker Ransomware and Maze promised not to intentionally target health care facilities, but would not commit to decryption if a health care entity was inadvertently impacted. 

While the alleged truce made by some of the larger cybercriminal groups may have appeared to be altruistic, the motivation may have been totally self-serving. During a global crisis, these groups likely decided that staying below the radar of law enforcement and military agencies was more about self-preservation than kindness to their fellow man.

CYBERCRIMINAL LEAVY BREAKS

While hopes were high that a global pandemic would cause bad actors to have mercy on mankind, data reflects that cybercrimes escalated during the pandemic.  On October 28, 2020, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) issued a joint advisory warning of an “increased and imminent cybercrime threat to U.S. hospitals and health care providers.”  It further stated that these bad actors were producing attacks which caused “data theft and disruption of healthcare services.”

As the global threat of cybercriminal activity proliferates within the health care sector, the industry must find ways to fight back.  One way that the health care industry can stand up against these persistent threats is more investments in their information security infrastructure, similar to that of the financial sector. These investments should include stronger password requirements, endpoint protection, and multi-factor authentication. 

MITIGATE RISK

Every effort must be made to determine and mitigate risk to protected health information.  There are several proactive measures that health care entities can take to decrease their risk of inappropriate disclosures of patient data.  Those measures include, but are not limited to, the following:

  • Invest in Anti-Virus Protection Software – Anti-virus protection software is a tool that can help entities detect and neutralize threats.  Most entities prefer efficiency.  This software will assist by filtering out malware which often slows down information system processes.  It has the added benefit of protecting your investment and allowing you to avoid the expense of purchasing new operating systems should your existing system become damaged due to malware.
  • On-Site and Off-Site System Backup – Federal regulations require covered entities to ensure on-site and off-site backup.  Should an entity become a victim of a ransomware attack or be forced to pivot to emergency operations, it is necessary to have backup systems that allow the entity to access and utilize reliable data.
  • Workforce Training – There is no greater defense to cyber threats than a well-trained workforce.  Entities should ensure that cybersecurity threats are emphasized to workforce members in refresher training so that employees are able to appropriately identify and report suspicious activity.
  • Segregation of Data – Entities should ensure that they are complying with the Minimum Necessary Rule for access to their information systems.

The COVID-19 pandemic has produced significant uncertainty in the health care environment and highlighted the need for renewed emphasis on protecting patient data.  HIPAA covered entities should use this time to assess whether they are operating in compliance with the Privacy Rule, Security Rule and Breach Notification Rule.  Likewise, they should reassess their Risk Analysis to ensure that it is HIPAA-compliant and take necessary action to avoid unauthorized disclosures. 

Samarria Dunson (samarria@dunsongroup.com) is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  She is also Of Counsel with the law firm of Balch & Bingham, LLP.

www.dunsongroup.com

Posted in: Members, MVP, Technology

Leave a Comment (0) →

Physicians Perspective: Dr. Chris Adams Talks Telemedicine

Physicians Perspective: Dr. Chris Adams Talks Telemedicine

Adversity and necessity mandate invention. 

During the COVID-19 pandemic, telemedicine has been transformed almost overnight into a necessary medical tool for remaining connected to our patients.  Without warning, physicians suddenly found themselves in the position of adding communication technologies, learning regulatory requirements, and adapting to an entirely new way of interacting with patients, sometimes reinventing their standard clinic procedures.  Similarly, government and private health care had to modify longstanding obstacles and prohibitions by allowing interstate practice and revising reimbursement policies.

I doubt there is a physician in our state who believes they could have managed their patients through this pandemic without the benefit of telemedicine.  Having said that, telemedicine is not a panacea. 

Practicing in a rural environment, we have discovered that bandwidth challenges are a huge issue.  Older patients also have vision and hearing challenges that make telemedicine less effective than face-to-face visits.  There is still an enormous amount of paperwork involved in conducting a telemedicine visit, it is not simply a matter of “picking up the phone and chatting.”  That is one reason why it is so important to have parity for video and telephone encounters. 

Despite these challenges, most clinicians would like to maintain the availability of this tool as we continue our social and medical confrontation with coronavirus.  At the same time, we also recognize inherent limitations that telemedicine imposes (I just cannot do a good knee exam over the telephone).  The challenge we now face is to define and refine best practices for employing telemedicine.  Part of this effort will require continued advocacy and encouragement of health delivery systems to support telemedicine.  Some of this will also necessitate new legal safe guards for practitioners employing this tool.

As you reflect on how this pandemic has changed your practice, please consider how you can support and contribute to the future of medicine in our state by advocating for your patients and your practice.  It is up to us as clinicians to help mold the future of healthcare delivery.

Posted in: Advocacy, Coronavirus, Members, Technology

Leave a Comment (0) →

Summary of Telehealth Waivers as of April 1, 2020

Summary of Telehealth Waivers as of April 1, 2020

By: Jim Hoover, Burr & Forman, LLP

The changes made to the requirements for telehealth services since the start of the COVID-19 pandemic have been swift and substantial. For the first several weeks, it seems changes were made almost daily.  As time has passed, the changes to telehealth have stabilized enough that a summary of the current telehealth issues is possible. However, changes may still be forthcoming so the following is a summary of the significant topics related to providing telehealth services as of the date of this article. Physicians should continue to monitor announcements related to telehealth requirements as changes will surely continue to evolve. 

Medicare – On March 30, 2020, the Centers for Medicare & Medicaid Services (CMS) announced additional temporary expansion of telehealth services to Medicare beneficiaries. CMS’s announcement of this new reimbursement flexibility builds on its prior expansion of telehealth services to address the COVID-19 pandemic. Prior to the March 30, 2020 announcement, CMS announced the following: (1) the patient location requirement was being waived to allow the patient to be in their home or other location; (2) the audio-video link can be something as simple as Skype, FaceTime or Facebook Messenger video calls. However, the audio-video link has to be a real-time audio and a one-to-one video connection, and cannot be public-facing; (3) the patient cost share can be waived at the providers’ discretion; and (4) CMS stated it will not audit to verify that there is an established patient relationship.

CMS announced in its March 30, 2020 announcement that it is now also allowing Medicare beneficiaries to receive care via telehealth by: (1) adding more than 80 services to the list of services payable under the Medicare Physician Fee Schedule when furnished via telehealth, including emergency department visits, initial nursing facility and discharge visits, critical care services, home visits for new and established patients, and physical and operational therapy services; (2) allowing clinicians to provide Virtual Check-In services to new patients in the same manner as they previously could provide only to established patients; (3) allowing licensed clinical social workers, clinical psychologists, physical therapists, occupational therapists, and speech language pathologists to provide e-visits; (4) allowing clinicians to provide certain services by audio phone only to their patients; (5) allowing clinicians to provide Remote Patient Monitoring, for acute or chronic conditions, to both new and established patients; (6) removing certain frequency limitations on Medicare telehealth; (7) expanding the use of telehealth to certain home health and hospice services; and (8) expanding the definition of “homebound” so that when a physician determines that a Medicare beneficiary should not leave the home due to suspected or confirmed COVID-19, the patient can qualify for the Medicare Home Health benefit.

Medicare Miscellaneous Issues – Patient consent may be obtained annually and obtained by ancillary staff.  Direct Supervision of services, such as incident-to services, normally require that the supervising/billing physician be in the office suite and immediately available. However, for the duration of the PHE, direct supervision can be provided by real-time interactive audiovisual technology.

Billing

Medicare – As an initial matter, telephone calls are still not the same as telehealth for Medicare purposes. A full list of the Compliant List of Medicare Telehealth and the Medicare Telehealth Code List for 2019-2020 is located on CMS’ website at the following address https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes.

CMS is allowing payment for certain codes related to telehealth services because as an example, CMS recognizes that some problems can be handled over the phone without a face-to-face, but may require more than the 5-10 minutes. The codes for established patients for physician or other qualified professionals (nurse practitioners or physician assistants) include 99441 (requires 5-10 minutes of medical discussion), 99442 requires 11-20 minutes of medical discussion), 99443 (requires 21-30 minutes of medical discussion). Practitioners should report the E/M code that best describes the nature of the care they are providing. Previous guidance was to use POS 02 that will cause payment to be made at the lower facility rate. Alternatively, providers can choose to use the POS code that most accurately reflects where the service is performed and append modifier 95. This will cause payment to be made at the higher non-facility rate.

Alabama Medicaid – Medicaid normally requires separate credentialing for providers performing telehealth; however, that restriction has been waived for the time period for dates of service from 3/16/2020 – 4/16/2020. Medical providers may bill established patient evaluation and management codes 99211, 99212 and 99213 for telephone consultations. Psychologists and behavioral health professionals should bill 90832, 90834, 90837, 90846, 90847 and H2011. Verbal consent must be obtained and documented in the medical record. These visits will count against the patient’s office visit limit of 14 visits per year.

Blue Cross and Blue Shield of Alabama – is allowing providers to bill for telephone call treatment of existing patients under the established patient office visit codes for dates of service from 3/16/2020 – 4/16/2020. They are allowing codes up to 99213 with place of service code 02 for telehealth. No modifier is required. The physician should be the one speaking with the patient — not the office staff.

HIPAA – Over the past several weeks, the Office for Civil Rights (“OCR”) has issued several notices regarding HIPAA in light of the current COVID-19 pandemic. The OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency. OCR stated that it would relax its enforcement actions with regard to compliance with certain aspects of HIPAA (and not enforce penalties) in order to allow providers to better treat their patients via telehealth. A health care provider that wants to use audio or video communication technology to provide telehealth to patients during the public health emergency can use any non-public facing remote audio or video communication product that is available to communicate with patients. Health care providers may use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. However, communication applications that are public facing should not be used. OCR further stated that it would not impose penalties against health care providers for the lack of a Business Associate Agreement with video communication vendors. The above applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. The OCR also issued additional guidance in the form of frequently asked questions (FAQs) which are available at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.  

State Licensure – Most states have greatly relaxed or streamlined their licensing requirements and application process to make it easier for physicians to provide telehealth services across state lines. However, the application process and requirements for each state differ so it is extremely important for physicians to check with each state. For example, the state of Tennessee requires the practitioner to complete and submit an application, which can be found at: https://www.tn.gov/content/dam/tn/health/documents/cedep/novel-coronavirus/Boards-Executive-Order-Form.pdf. The determination is made on a case by case basis. It appears most applications are being approved by the Tennessee Department of Health because as of the end of March 2020 the Department had received 61 applications and approved 59 applications, denied one, and one was under review. The State of Florida, for purposes of preparing for, responding to, and mitigating any effect of COVID-19, permits health care professionals not licensed in Florida to provide health care services to a patient located in Florida using telehealth, for a period not to exceed 30 days unless extended by order of the State Surgeon General. The exemption applies only to out of state health care professionals holding a valid, clear, and unrestricted license in another state or territory in the United States who are not currently under investigation or prosecution in any disciplinary proceeding in any of the states in which they hold a license.

While the telehealth waivers and notifications have slowed down in recent days, it is still very important for physicians to keep updated on the various requirements from state licensing authorities and payors.

Jim Hoover practices with Burr & Forman LLP and works exclusively within the firms Health Care Industry Group and primarily handles healthcare litigation and compliance matters.

Posted in: Legal Watch, Medicaid, Medicare, Technology

Leave a Comment (0) →

Telehealth in Alabama during COVID-19 Public Health Emergency (PHE)

Telehealth in Alabama during COVID-19 Public Health Emergency (PHE)

prepared by Kim Huey, MJ, CHC, CPC, CCS-P, PCS, CPCO, COC

March 19, 2020

The most important thing to remember is that payers have differing definitions of what they consider telehealth.  I recommend checking with the applicable insurer for the most up-to-date information affecting requirements for coding and billing of telehealth services.  A few things to ask about: 

  • What are the effective dates?  Most insurers are limiting this exemption to a specific period of time. 
  • What services are covered? 
  • How are those to be billed? 
  • Do we use telehealth codes or office visit codes? 
  • What place of service? 
  • What modifiers are necessary?
  • For fee-for-service, traditional Medicare

The information below pertains to the major payers in Alabama as of 3/18/2020 –

Blue Cross Blue Shield of Alabama is allowing providers to bill for phone call treatment of existing patients under the established patient office visit codes from 3/16/2020 – 4/16/2020.  They are allowing codes up to 99213 with place of service code 02 (zero two) for telehealth. No modifier is required.  Many providers are concerned about reaching that level of service when no examination can be performed.  Remember that established patient office visits require only two of the three key components – history, examination, medical decision-making.  If the physician documents an expanded problem-focused history and low complexity medical decision-making, 99213 will be supported.  This must be the physician speaking with the patient, not the office staff.

Alabama Medicaid normally requires separate credentialing for providers performing telehealth; however, that restriction has been waived 3/16/2020 – 4/16/2020 (dates of service).   Medical providers may bill established-patient evaluation and management codes 99211, 99212 and 99213 for telephone consultations.   Psychologists and behavioral health professionals should bill 90832, 90834, 90837, 90846, 90847 and H2011. A dental provider should bill D0140.  Place of service code 02 (zero two) for telehealth and modifier CR are required.  Verbal consent must be obtained and documented in the medical record.  These visits will count against the patient’s office visit limit of 14 visits per year.

United Health Care is waiving originating site restrictions for their commercial, Medicare Advantage, and Medicaid plans.  The patient may be at home or at another location.  All the other requirements for telehealth must be met – real-time audio and video communication system required. These include the place of service 02 and the GQ (asynchronous telecommunications system) or GT (interactive audio and video telecommunication system) modifier.  This waiver is only in effect until April 30, 2020.

Medicare

Fee-For-Service Medicare DOES NOT allow telephone calls to be billed as telehealth.  The PHE waiver provides three specific exceptions to the existing telehealth regulations:

  1. the patient can be in their home or other location – they do not have to be in a healthcare facility in a HPSA.
  2. the audio-video link can be something as simple as Skype or FaceTime or Facebook Messenger video calls – but it has to be a real-time audio AND video one-to-one connection, not something public-facing
  3. costshare can be waived – it is not automatically, but it can be waived at the providers’ discretion.

CMS also stated that they will not audit to verify that there is an established patient relationship.  Services are limited to the list of telehealth services at:  https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes

This does include office visits, consultations, Transitional Care Management, and Annual Wellness Visits.  Place of service is 02 (zero two) for telehealth.  No modifier is necessary unless you are billing from a CAH Method II hospital (GT) or you are treating the patient for an acute stroke (G0).  There is also a modifier for a telemedicine demonstration project in Alaska or Hawaii (GQ).

NOTE: Although CMS stated that no modifier is necessary, Palmetto GBA is requesting modifier CR be appended for tracking purposes.

For services that have a site of service differential, payment will be made at the facility rate.

CMS has not specified an end date for these exceptions, just that they will be allowed as long as the Public Health Emergency declaration is in effect.

If there is not a real-time audio-video connection, then you are limited to one of the following:

Virtual Check-In

  • G2012 – Brief communication technology-based service, e.g. virtual check-in, by a physician or other qualified health care professional who can report evaluation and management services, provided to an established patient, not originating from a related E/M service provided within the previous 7 days nor leading to an E/M service or procedure within the next 24 hours or soonest available appointment; 5-10 minutes of medical discussion
  • G2010 – Remote evaluation of recorded video and/or images submitted by an established patient (e.g., store and forward), including interpretation with follow-up with the patient within 24 business hours, not originating from a related E/M service provided within the previous 7 days nor leading to an E/M service or procedure within the next 24 hours or soonest available appointment

Please note the following restrictions:

  • Established patients only (same definition as for other E&M services)
  • Verbal consent required and must be documented in the patient’s medical record
  • No service-specific documentation requirements but medical necessity must be documented.
  • May only be billed by those providers who can perform and bill E&M services

To clarify – G2012 has been in effect since 1/1/2019 – it is supposed to be for an established patient, but CMS has said they will not audit for that requirement during this time.  It does not require the video link, so it is really the only option for phone calls.  It cannot be related to an office visit within the past 7 days, as that would be considered part of the work of the already-billed office visit.  And if the doctor tells the patient to come in at the first available appointment, it can’t be billed as it would be considered the pre-work for the upcoming office visit.  As it specifies 5-10 minutes of medical discussion, time should be documented.

For email or portal communication, we also have these codes, new for 2020:

  • #99421 – Online digital evaluation and management service, for an established patient, for up to 7 days, cumulative time during the 7 days; 5-10 minutes
  • #99422 – …11-20 minutes
  • #99423 – … 21 or more minutes

Please note the following restrictions:

  • Patient-initiated digital communications requiring a clinical decision that would otherwise be made during an office visit
  • Physician/Qualified Healthcare Professional (QHP) time only
  • Not billable if patient seen in person or through telehealth within 7 day period

For All Payers –

There have been questions on how to perform a visit by phone or audio-video without being able to examine the patient.  First of all, established patient visits require two of the three key components:  history, examination, and medical decision-making.  A visit can be billed based on history and medical decision-making.  However, some examination can be done without laying hands on the patient.  Observation can be done through video, and sometimes just through audio.  A physician can observe skin tone, abnormal movements, respiratory effort and many other exam elements without being able to necessarily touch the patient.  A complete Psychiatric exam can be accomplished through talking with the patient.

For example, the patient calls in with complaint of dysuria. The physician documents the complaint (Duration, Timing) and further asks questions about fever, nausea and vomiting (Constitutional and Gastrointestinal Review of Systems).  He also reviews the patient’s Past Medical History and Allergies.   Based on her previous history, he suspects that the patient has a urinary tract infection and orders an antibiotic.

A patient with asthma calls in with an exacerbation – the physician can actually hear the patient wheezing over the telephone – that would be documented as a problem-focused examination.

The key point is that the physician himself must have the conversation with the patient on the phone or through the audio-video link.  This may be something that a nurse may have handled previously, but now it must be performed by the physician to be billable. 

Posted in: Blue Cross Blue Shield of Alabama, CMS, Medicaid, Medicare, Members, Technology

Leave a Comment (0) →

You Can Help Improve Transparency in the Certified Health IT Market

You Can Help Improve Transparency in the Certified Health IT Market

Visit Open Forums in May to Inform a New Comparison Tool

Stop by to provide input at an upcoming open forum on the new EHR Reporting Program, which will provide publicly-available, no-cost, comparative information on certified health IT available on the market.

We are also providing a link for regional stakeholders to participate in the open forums virtually.  Please note that the open forums are scheduled for two hours, but feel free to drop-in when you’re available.

In the 21st Century Cures Act of 2016, Congress directed the US Department of Health and Human Services (HHS) to establish a new EHR Reporting Program, which the Office of the National Coordinator for Health IT (ONC) is currently developing. The goal of this program is to provide publicly-available, comparative information about certified health IT features related to security, usability, interoperability, conformance to certification testing, and other areas in order to improve the transparency of the market.

ONC has contracted with the Urban Institute and its subcontractor, HealthTech Solutions, to obtain stakeholder input on how to develop the EHR Reporting Program through public open forums across the country. Input from people like you will help determine:

  • What information should developers of certified health IT report? What information from users could be made available?
  • How that information is collected
  • How this information will be disseminated to the public (for example, would you prefer a product comparison website, data in a spreadsheet, or something else?)

Upcoming Open Forums

Public Health/AL Medicaid/AL Health Information Exchange
Monday, May 20, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/155156076

AL Primary Healthcare Assn (FQHC)/ Rural Health
Monday, May 20, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/432907928

AL Academy of Pediatrics/Primary Care
Monday, May 20, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/505593044

Health Systems/Hospitals
Tuesday, May 21, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/824124145

General Public Open Forum
Tuesday, May 21, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/806771227

General Public Open Forum
Tuesday, May 21, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/675043250

Can’t make any of these events? Watch for more events where stakeholders can make suggestions at: https://healthtechsolutions.com/EHR-reporting-program.

If you have any questions regarding the  Open Forum, please contact Pam Zemaitis of HealthTech Solutions at Pam.Zemaitis@HealthTechSolutions.com.

 

Posted in: Technology

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →
Page 1 of 2 12