Medicare Telehealth Reimbursement Update

Our Introduction to Telehealth, Technology and Federal Enforcement chapter was published in the Thomson Reuters 2025 Health Law Handbook.  It reviewed a number of telehealth Medicare revisions, both permanent and temporary, enacted by a series of consolidated appropriation acts and physician fee schedule amendments arising out of the 2020 COVID pandemic.

The temporary telehealth provisions currently due to expire after December 31, 2024 are:

  • Waiver of geographic and originating site requirements
  • Coverage of audio only services
  • Expansion of the eligible distance site telehealth providers
  • Waiver of in-person visit requirements for behavioral telehealth

The Telehealth Modernization Act of 2024 has been introduced to permanently extend the following flexibilities:

  • Rural health clinics and federally qualified health centers serving as distant sites
  • The home of a beneficiary serving as an originating site
  • The authorization of any type of practitioners to furnish telehealth services as determined by CMS

We will keep you advised of developments in that area. In the meantime, please contact Mike Cassidy or Adam Appleberry with questions.

Medicare Decreases Physician Fee Schedule by 2.93%

The final Medicare Physician Fee Schedule was issued on November 1st for calendar year 2025.  Attached is a link to both the Press Release describing all of the Medicare changes and the link to the entire Final Rule.

The Medicare Conversion Factor for the Physician Fee Schedule was decreased from $33.29 from 2024 to $32.35 for 2025, i.e. 2.93%.

Texas Judge Stops FTC Non-Compete Ban From Going Into Effect

In a continuation of the saga surrounding the FTC’s ban on non-compete agreements for for-profit businesses, on August 20, 2024, a ruling from the United States District Court for the Northern District of Texas struck down the FTC’s final rule. In the Texas court’s ruling, U.S. District Judge Ada Brown stated that the FTC’s authority to police unfair methods of competition couldn’t be used to issue substantive regulations that ban an entire category of conduct. According to Judge Brown, this action by the FTC exceeds its authority granted by Congress. This ruling is effective nationwide and not just limited to the Texas case.

The FTC is considering an appeal to this ruling, but for now, the FTC’s ban on non-compete agreements will not go into effect on September 4, 2024. As the situation continues to develop, we will monitor and update on this blog as further updates become available.

Gov. Shapiro Signs Fair Contracting for Healthcare Practitioners Act Into Law

On July 17, 2024, Pennsylvania Governor Josh Shapiro signed the Fair Contracting for Health Care Practitioners Act into law, which will become effective as of January 1, 2025 (click here see the full bill). Any noncompete covenants that are greater than one year in length in an employment agreement for a healthcare provider, entered into after the effective date, are void and unenforceable. The exception that allows for noncompete covenants that are one year in length or less only applies to situations where the healthcare provider departs on their own volition; if a healthcare provider is terminated or dismissed by the employer, the noncompete covenant is not enforceable.

Employers are still authorized to recover reasonable expenses from a healthcare provider for expenses “related to the relocation, training, and establishment of a patient base,” but these expenses can only be recovered if the healthcare provider left on his or her own volition and was not terminated or dismissed by the employer.  

Additionally, any noncompete covenants related to the sale of an ownership interest or the sale of all or substantially all of the assets of a practice are not subject to the restrictions in this Act. If a provider is not a party to the sale, however, the noncompete agreement is void and unenforceable. This exception only applies to those with ownership interests in a practice.

Per the Act, the Health Care Cost Containment Council will perform a study of the effects of this Act within three years following its effective date and will report its findings back to the State Senate’s and State House’s Health and Human Services Committees.

Medicare Proposed 2025 Telehealth Changes

CMS proposed several telehealth changes in the 2025 Medicare Physician Fee Schedule Proposed Rule, issued July 10, 2024. 

Interactive Telecommunication

Beginning January 1, 2025, an interactive telecommunication system may include two-way, real-time audio-only communication technology for any telehealth service furnished to a beneficiary in their home, if the distant site physician or practitioner is technically capable of using an interactive telecommunication system but the patient is not capable of, or does not consent to, the use of video technology.

Distant Site Address

CMS will continue to permit the distant site practitioner to use their currently enrolled practice location instead of their home address when providing telehealth services from their home. 

Direct Supervision

CMS is proposing to adopt, for a certain subset of services that are required to be furnished under direct supervision of a physician or other supervising practitioner, to permanently adopt the definition of direct supervision that allows the physician or supervising practitioner to provide such supervision through real-time audio and visual interactive telecommunications.  CMS is specifically proposing that the physician or supervising practitioner may provide such virtual direct supervision for services furnished incident to a physician service when they are provided by auxiliary personnel employed by the physician and working under his or her direct supervision. 

CMS has also proposed that “immediate availability” for purposes of direct supervision for all other services will include real-time audio and visual interactive communications only through December 31, 2025.

Non-Compete Ban Updates: FTC Rule Challenges & Pennsylvania Healthcare Legislation

Challenges to the FTC Rule

As we previously discussed on Med Law Blog, following the FTC’s approval of the final rule to ban non-compete agreements for for-profit businesses in April, several businesses have challenged the FTC’s authority to enforce this rule. The final rule is set to take effect on September 4, 2024, but in light of the number of challenges still pending, it’s unclear as to whether the FTC’s rule will remain intact. In one such challenge in the Northern District of Texas, the federal judge issued a preliminary injunction on July 3, 2024, that stays this ban for the named plaintiffs in the case, who were Ryan LLC, the Chamber of Commerce of the United States of America, Business Roundtable, the Texas Association of Business, and the Longview Chamber of Commerce. On or before August 30, 2024, the court intends to rule on the merits of the legal challenge that seeks to invalidate the rule for businesses nationwide.

In a separate challenge to the FTC’s rule in the Eastern District of Pennsylvania, ATS Tree Services, LLC claims that the FTC has exceeded its authority beyond what Congress intended. ATS provides tree removal services and firewood sales in Pennsylvania. To be able to effectively provide these services, ATS invests in its employees by offering specialized training in tree care skills. ATS employees sign a non-compete agreement, in exchange for receiving such training, that restricts an employee from directly competing with ATS for one-year following the employee’s termination of employment. According to ATS, by removing the ability to enforce these non-compete agreements, ATS risks losing these employees to competitors after investing a significant amount of time and financial resources, which could jeopardize its business. The motion for a preliminary injunction is still pending in this case, and a decision is expected to be issued on or before July 23, 2024.

Pennsylvania Healthcare Legislation Update

On a separate but related topic specific to healthcare providers in Pennsylvania, the Pennsylvania House of Representatives passed a ban for healthcare non-compete agreements in April, as we previously discussed. This bill, as passed by the Pennsylvania House, will be effective immediately for new restrictive covenants following a provider’s current license renewal. The bill was amended in the Pennsylvania Senate on July 10, 2024, and is currently under review by the Pennsylvania Senate’s Appropriations Committee. We will continue to monitor as this bill progresses through the legislative process, and we will update on this blog as further updates become available.

UPMC/Washington Health System Merger Agreement Limits Non-Competes

The Press has announced that the Merger Agreement between UPMC and Washington Health System was approved by the Pennsylvania Attorney General with certain conditions, one of which was that UPMC would honor existing employment contracts and not impose restrictive covenants or non-compete agreements more restrictive than those that currently exist.

We will be researching that further and will provide whatever information we discover.

Navigating HIPAA’s Breach Notification Rule Following A Breach

In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information to the wrong individual, or a large breach where your system has been hacked and all your patient records have potentially been exposed, the Department of Health and Human Services lays out clear guidance for your next steps.

What is a breach?

Before diving into the required process following a breach, it may be helpful to discuss what is considered a breach in the first place.

Under the Breach Notification Rule, a breach has taken place when there is an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a breach has occurred can be determined by a risk assessment that evaluates:

  • the nature and extent of PHI involved;
  • the unauthorized individual who used or gained access to the PHI;
  • whether an unauthorized individual actually acquired or viewed the PHI; and
  • the extent to which the covered entity or business associate reduced the PHI exposure risk.

Unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised, any impermissible use or disclosure of PHI is presumed to have been a breach.

The rule does provide for three exceptions to this definition:

  • If an employee or authorized individual unintentionally, but in good faith and within their scope of authority, accesses or uses the PHI;
  • If the PHI is disclosed to an individual who is not authorized to access that particular individual’s PHI but is authorized to access PHI in general; or
  • If the covered entity has a good faith belief that the unauthorized person to whom the PHI was disclosed would have not been able to access or retain the information.

Notification Requirements

When a covered entity determines that a breach has occurred, the covered entity must provide notification to (1) the individual, (2) the Department of Health and Human Services, and (3) in some situations, the media.

Individual Notification

The individual must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In the notification, the individual must be provided:

  • a brief description of the breach;
  • a description of the types of information that were involved in the breach;
  • the steps the individual should take to protect themselves from potential harm;
  • a description of what the covered entity is doing to investigate the breach; and
  • contact information for the covered entity.

This notification must be provided in the form of first-class mail but can be sent via email if the individual has agreed to receive such notices electronically. In the event that the covered entity is unable to contact 10 or more individuals affected by the breach, the covered entity must substitute the individual notice by either posting the notice on its website for a minimum of 90 days or by providing the notice in the media where the affected individuals likely reside. In these instances, the covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can call to learn if their information was involved in the breach.

When a business associate is responsible for the breach, the covered entity remains the party responsible for providing notification to the individuals affected. In these situations, the business associate must notify the covered entity within 60 days.

Department of Health and Human Services Notification

The process for notifying the Secretary of the Department of Health and Human Services can be completed online on the HHS website (click here).

In breaches that affect 500 or more individuals, the Secretary must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In breaches that affect less than 500 individuals, the notification requirement only needs to occur annually but no later than 60 days after the end of the calendar year in which the breach is discovered.

The Department of Health and Human Services maintains a list on its website of recent HIPAA breach cases under investigation (click here).

Media Notification

In situations where 500 individuals or more are affected by a breach, the covered entity must provide notice to the prominent media outlets covering the region where the affected individuals likely reside. This notice can be provided in the form of a press release, must include the same information as required for notifying the individuals, and must be provided without unreasonable delay but no later than 60 days following the discovery of the breach.

Conclusion

Navigating HIPAA compliance can be a confusing and burdensome task – we are here to help. If you’ve had a breach and are questioning what your next steps should be, or if you have a general question about how to better align your practice’s processes with HIPAA’s compliance requirements, please reach out at aappleberry@tuckerlaw.com or (412) 594-5532.

LexBlog