HHS has published a very brief guide, in the form of a checklist, to explain the steps for a HIPAA covered entity or business associate to take in response to a cyber related security incident. You can access the checklist at this link:
The Texas Medical Board and Teladoc have been battling for seven years, and through several rounds of litigation over whether a patient relationship can be established for purposes of providing telemedicine services without an initial face-to-face or in-person visit. This all changed when Texas governor, Greg Abbott, signed Senate Bill 1107, which will take effect immediately if approved by two thirds of the members of the Texas legislature or on September 1, 2017 if not approved for immediate effect.
The ATA Telehealth Morning Update reported on Thursday, June 1, 2017, that Texas, which was the last state in the country to insist that personal contact was required to establish a valid physician patient relationship, has now resolved these issues.
Senate Bill 1107 provides the following:
a. The Bill allows the establishment of a physician patient relationship by either
1. Synchronous audio visual interaction, or
2. Asynchronous store and forward interaction when used in conjunction with synchronous audio, which could obviously be a telephone or video conferencing, as long as relevant video or photographic images are available or other relevant medical records.
b. The Bill excludes telemedicine medical services for prescribing abortifacient drugs or devices.
c. The Bill prohibits insurers from excluding services solely because they were provided by telemedicine means.
d. The Bill allows insurers to exclude services that are solely provided by audio, text or faxed methods of communication.
On April 11, the Pennsylvania Department of Health (DOH) released Practitioner Temporary Regulations for physicians and practitioners (those physicians, pharmacists, physician assistants and certified registered nurse practitioners to be employed by a licensed dispensary). In a press release issued yesterday, DOH Secretary Dr. Karen Murphy stated that “[t]he process for a patient to obtain medical marijuana will begin with the physician, so it’s vital to ensure that our regulatory process for those physicians is open and transparent.”
The press release also provides that “the Practitioner Temporary Regulations outline the process for a physician with an active Pennsylvania license to register as a practitioner in the Medical Marijuana Program. Registration allows a practitioner to certify a patient’s [with one of 17] serious medical condition[s] and offer his or her recommendations on a course of treatment for the patient that includes obtaining medical marijuana at a permitted commonwealth dispensary.” In order to become registered, physicians and practitioners must complete a 4-hour training course that: educates them on their responsibilities as medical professionals and marijuana laws and regulations; and, provides latest scientific research information, best practices for recommending medical marijuana and dosage based on the patient’s serious medical condition. Successful completion of the course shall be approved as CME or equivalent credits as determined by the overseeing professional boards for physicians and practitioners.
Marijuana is categorized as a Schedule I drug under the Controlled Substances Act (CSA) (21 U.S.C. 812(c)). Schedule I drugs are defined as drugs with no currently accepted medical use in treatment in the United States and a high potential for abuse. Because Marijuana is categorized as Schedule I, anyone convicted of trafficking offenses is subject to possible federal fines and imprisonment. In order to address this concern, Section 2103(A)(3) of the Pennsylvania Medical Marijuana Act (the Act) provides that no practitioner shall be subject to arrest, prosecution or penalty in any manner, or denied any right or privilege, including civil penalty or disciplinary action by a Commonwealth licensing board or commission, for actions taken in accordance with the Act. Furthermore, with respect to federal concerns, the Ninth Circuit Court of Appeals ruled in Conant v. Walters 309 F. 3d 629 (2002) that the federal government could neither punish nor threaten to punish a physician for discussing the merits of medical marijuana with a patient and issue a recommendation to use medical marijuana within a bona fide doctor-patient relationship, as that is considered to be protected by the First Amendment right of free speech. On October 14, 2003, the Supreme Court declined to review the decision under Conant v. Walters, U.S. No.03-40 and has let the ruling of the Ninth Circuit stand. Doctors are not permitted to write prescriptions because the licensing for prescribing controlled substances is issued by the Drug Enforcement Administration (DEA), a federal organization. The Practitioner Temporary Regulations is drafted to comply with both the Act and Conant, where registered physicians will write recommendations and not prescriptions to patients. As such, Pennsylvania licensed doctors in good standing with their boards who are interested in becoming registered for the Medical Marijuana Program can at least initially rely on them for guidance.
The DOH is asking for feedback and comments to the Practitioner Temporary Regulations by April 20. They will then finalize the Practitioner Temporary Regulations and release updated temporary regulations that will be effective for a period of 2 years. Thereafter, the DOH will re-evaluate the Medical Marijuana Program and make any necessary revisions for its continued success.
 Amyotrophic Lateral Sclerosis (ALS), Autism, Cancer, Crohn’s Disease, Damage to the nervous tissue of the spinal cord with objective neurological indication of intractable spasticity, Epilepsy, Glaucoma, HIV (Human Immunodeficiency Virus) / AIDS (Acquired Immune Deficiency Syndrome), Huntington’s Disease, Inflammatory Bowel Disease, Intractable Seizures, Multiple Sclerosis, Neuropathies, Parkinson’s Disease, Post-traumatic Stress Disorder, Severe chronic or intractable pain of neuropathic origin or severe chronic or intractable pain in which conventional therapeutic intervention and opiate therapy is contraindicated or ineffective, Sickle Cell Anemia.
Emanuele v. Medicor Associates, was presented to the United States District Court for the Western District of Pennsylvania as cross motions for summary judgment, and provides some guidance regarding the Stark requirements for bona fide personal service contracting arrangements.
The case originated as a whistleblower allegation that Hamot Hospital had not complied with all of the elements of the Stark personal service contract exceptions for medical directors’ contracts, and therefore that billing for the related services raised False Claims Act billing issues.
The Court’s opinion provides valuable guidance regarding:
- Allowing a “collection of documents” to satisfy the written agreement requirement.
- Acknowledging that fully disclosed retroactive effective dates are not fatal, and
- Providing actual examples of real world facts establishing the elements of materiality and scienter for FCA cases.
The opinion is attached below.
I am inserting a link to the third in a series of articles published by the Allegheny County Medical Society regarding Medicare Payment Reform pursuant to the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA).
This article deals with Advanced Alternative Payment Models, and provides basic information on how provider groups can qualify for a 5% Medicare Part B incentive payment, and be exempt from the potential negative MIPS payment adjustments. The MACRA 5% bonuses for APM participation will start in 2019, assuming the provider groups meet the participation and reporting requirements in 2017 and 2018.
I think it is safe to assume the Trump efforts to repeal Obama Care will not impact the current MACRA rules in the short term, but it is probably not safe to assume that future changes will not be made.
Use this link to view the article “Macranomics: Advanced Alternative Payment Models” .
For additional information contact Mike Cassidy.
On January 12, 2017, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued final rules implementing permissive exclusion authorities authorized by the Affordable Care Act expanding exclusion authority under Section 1128 of the Social Security Act. The changes were first proposed on May 9, 2014 at 79 Federal Registered 26810.
Although there were numerous technical and definitional changes, the major policy changes are as follows:
- The rules implement the ACA exclusion and permission exclusion authority regarding all individuals and entities convicted for the interference with oral instruction of both investigations and audits related to the use of funds received from a federal health care program.
- The regulations implement expanded permissive exclusion authority for any individual or entity furnishing, ordering, referring or certifying the need for items and services for which payment may be made under a federal health care program that fails to provide certain payment information upon authorized request.
- The rules implement the ACA’s expanded permissive exclusion authority for knowingly making or causing to be made any false statement, omission, or misrepresentation of material fact in any application, agreement, bid, or contract to participate or enroll as a provider of services or supplier under a federal health care program.
Read the full text of the announcement and final regulations here.
I am repeating the Introduction of the FDA Guidance, and attaching a link to the 30 page document.
The Food and Drug Administration (FDA) is issuing this guidance to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device. A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to health and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health.
This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices. This guidance establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the Agency and outlines circumstances in which FDA does not intend to enforce reporting requirements under 21 CFR part 806. 21 CFR part 806 requires device manufacturers or importers to report promptly to FDA certain actions concerning device corrections and removals. However, the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as “cybersecurity routine updates and patches,” are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR part 806. For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency. Risks to health posed by the device may result in patient harm. This guidance recommends how to assess whether the risk of patient harm is sufficiently controlled or uncontrolled. This assessment is based on an evaluation of the likelihood of exploit, the impact of exploitation on the device’s safety and essential performance, and the severity of patient harm if exploited.
 See FDA Guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190)
 See FDA Guidance titled: “distinguishing Medical Device Recalls from Medical Device Enhancements” (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationsandGuidance/GuidanceDocuments/UCM418469.pdf).
 See 21 CFR 806.10.
 ANSI/AAMI/ISO 14971: 2007®2010: Medical Devices – Application of Risk Management to Medical Devices, section 2.16 – definition of risk.
 ANSI/AAMI ES60601-1:2005/®2012 and A1:2012, C1:2009/®2012 and A2:2010/®2012 (Consolidated Text) Medical electrical equipment – Part 1: General requirements for basic safety and essential performance (IEC 60601-1:12005, MOD), section 3.27 defines “Essential Performance” as performance of a clinical function, other than that related to basic safety, where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk.
Use this link to view the article “Macranomics Summary and Timetable” that appeared in a recent edition of the Allegheny County Medical Society Bulletin.
For additional information contact Mike Cassidy.
The 2017 Medicare Physician Fee Schedule finalizes the CMS changes for Telehealth reimbursement and coverage for 2017. The CMS fee schedule document also provides a comprehensive explanation of Medicare Telehealth reimbursement and coverage. I have excerpted those 35 pages and linked them as a PDF to this post: Medicare Telehealth Services.
The essential takeaways are as follows:
Technology: Generally Medicare will require interactive technology for telehealth services, except for the approved use of asynchronous (store and forward) platforms for the demonstration projects in Alaska and Hawaii.
Location for Billing: Telehealth services should be billed by the practitioner to the MAC servicing the distant site at which the providing physician is located; the patient is at the originating site, although it is possible that both will be in the same jurisdiction.
Improved Telehealth Services: CMS explains its process for approving additional telehealth services, and provides the link to the existing list of covered services, i.e. https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/index.html.
Annual Covered Service Update: CMS maintains a process for approving new services by separating services into two categories, i.e.
- Category 1 has a protocol designed to review services similar to existing consultation, office visit, and office psychiatry services similar to those currently on the list of approved telehealth services.
- Category 2 is a protocol for services that are not similar to the current list of telehealth services, and require demonstration as to how the service will improve the diagnosis or treatment with evidence of relevant clinical studies.
Additional Covered Services for 2017:
- ESRD services similar to existing ESRD services
- Advanced care planning using CPT codes 99497 and 99498
- Critical care consultations using HCPCS codes G0508 and G0509
New Point of Service Reimbursement: CMS is adding point of service (POS) codes for the distant site to distinguish reimbursement between facility and non-facility rates. This change is also explained in MLN matters #MM9726, also linked as a PDF.
The Pennsylvania Department of Health published the approved 2017 medical record cost for production of medical charts and records. The notice is attached in the link below. It addresses both electronic health records and the production of records in other types of formats.