January 20, 2026 • 46 mins
Jennifer Breuer, Partner, Faegre Drinker Biddle & Reath LLP, Sean Sullivan, Partner, Alston & Bird LLP, and Adam Greene, Partner, Davis Wright Tremaine LLP, discuss some of the latest trends and developments in the world of telehealth, as well as what to expect in 2026. They cover issues related to reimbursement (including the future of telehealth flexibilities), privacy and security, and other compliance risks. Jennifer is editor, and Sean and Adam are co-authors, of AHLA’s new Telehealth Law Handbook, Third Edition.
Watch this episode: https://www.youtube.com/watch?v=7-tPb_XNUzk
Learn more about AHLA’s new Telehealth Law Handbook, Third Edition: https://store.lexisnexis.com/ahla/products/ahla-telehealth-law-handbook-ahla-members-grpussku5629963.html
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:04):
This episode of AHLA Speaking of Health Law is
brought to you by AHLA membersand donors like you.
For more information, visitamericanhealthlaw.org.
SPEAKER_03 (00:17):
So, hello.
Today we're um talking about uhAHLA's new telehealth law
handbook.
Um I am the editor of the thirdedition that just came out, and
I am here today with some of myco-authors.
Um I'm Jennifer Brewer, uhpartner at Pagree Drinker in our
Chicago office.
(00:37):
I'm here also with Adam Green, apartner with at Davis Wright and
Tremaine in the DC office, andSean Sullivan, a partner in
Austin and Bird's Atlantaoffice.
We're going to be talkingthrough some hot topics in
telehealth, um, some of whichwere discussed in the book, and
some of which are just timelythings that have come up in our
(00:58):
practices.
Um, let's start withreimbursement, since here we are
in the middle of January, and weknow that there are some
potential significant changescoming.
Um let's start there.
Sean, do you want to talk alittle bit about what happens,
what's happening today and whatmight or might not happen on
January 31st?
SPEAKER_01 (01:17):
Yeah, sure, sure.
So uh so thanks for having me,Jen, and appreciate you know,
AHLA had had this opportunity touh to do this podcast.
But we're kind of in aninteresting time right now, and
frankly, it's been it's beenkind of an interesting time over
the last five years since theCOVID-19 pandemic and the public
health emergency and the end ofthe public health emergency.
But we are recording this onJanuary 15th.
(01:40):
Um, the the current budget andum and funding for the
government extends throughJanuary 30th, uh January 30th,
2026.
And the way that the government,the way that Congress has been
extending these telehealthflexibilities that have been in
place since the beginning ofCOVID has really been through
the um through the through thecontinuing resolutions that have
(02:03):
extended the budget and fundedthe government.
So that means that because rightnow we only have funding of the
government through January 30th,2026, that means that all of the
COVID-19 related Medicaretelehealth flexibilities that
have been in place for the lastfive plus years, those will go
away as of January 30th, 2026.
So absent any additionallegislation, the Medicare
(02:25):
telehealth policy essentiallysnaps back to those pre-COVID-19
rules, bring back things likegeographic and originating site
requirements, um, who canactually provide, who are the
eligible providers to be able toprovide telehealth services,
certain in-person requirementsfor mental health services, um,
maybe even audio-only servicesmay go away.
(02:46):
So all of those will snap backto what was previously the
traditional Medicarerequirements for providing
telehealth.
And so this is, I mean, this isa you know, serious concern, a
serious problem.
It's really a core strategic oroperational concern for a lot of
telehealth companies on what todo after January 30th.
But that said, this has been aproblem that we've been
encountering every six months orso for the last couple of years.
SPEAKER_03 (03:10):
Um, any any insights or thoughts on what might happen
um in the next couple of weeks?
SPEAKER_01 (03:16):
Well, yeah, I can um, I mean, I expect, and I know
that there is broad bipartisansupport for extending the
telehealth flexibilities.
So I would expect that anybudget that is passed would
include extension of thosetelehealth flexibilities.
But that said, I just don't knowif there's going to be a budget
passed by January 30th, 2026.
And the way that Congress hasbeen going the last couple of
(03:37):
years, especially just over thelast year, is we get right up to
these um, you know, budgetdeadlines and Congress fails to
fails to pass anything or passessomething at the very last day.
But to the extent that somethingdoes get passed, I would expect
there to be telehealthflexibilities, an extension of
that.
I don't expect for it to bepermanent yet, although I think
(03:57):
everybody in the industry wouldlove for us to have those those
telehealth flexibilitieseventually made permanent, but
there's been a lot of reluctanceto to ultimately make those um,
you know, make those telehealthflexibilities permanent.
So I expect another extension togo along with the budget.
The big question on my side isis that budget going to be
passed and when would it bepassed?
And there may be some some lagperiod between when the
(04:19):
government may actually shutdown, between when those
telehealth flexibilities go awayand when they may be you know
reenacted.
SPEAKER_03 (04:27):
Right.
Um do you think that uh weshould expect um any any let's
talk a little bit about and whatwe're really talking about here
is Medicare, of course, um andand Medicaid um things that the
government pays for.
We know that a lot of telehealthhas moved to direct-to-consumer.
(04:47):
Um, and that really means atleast for for Medicare covered
services, many of those servicesaren't covered by Medicare
anyway.
Um and right, they don't theydon't take take cash pay
reimbursement, but for moretraditional telehealth
providers, this is going to be abig, a big change since over the
past you know several years,we've been able to see our
(05:08):
doctors and clinicians have beenable to get reimbursement for
that from anywhere.
Um, if we go back to thepre-2020 days, um, we're really
back to you know uhreimbursement only in for for uh
telehealth services only inrural rural communities, right?
And only when people actuallyshow up at facilities.
SPEAKER_01 (05:30):
That's right.
We'd be snapping back to thoseoriginal traditional pre-COVID
uh requirements.
And essentially, um, you know,this has been talked about
before, but those are there'sessentially five traditional
Medicare telehealthrequirements.
The originating site needs to besomewhere other than the
patient's home.
It has to be an eligibleoriginating site, like a
physician practice or a hospitalor a nursing facility.
(05:51):
Also, that originating site hasto be in a rural area.
So you can't provide telehealththat's reimbursed by Medicare in
a city, which is a significantlimitation.
There's also a bunch, there's alist of practitioners that can
provide telehealth.
It does not include therapistslike physical therapists,
occupational therapists, speechlanguage pathologists, and those
types of practitioners have beendoing a lot of a lot of
(06:12):
telehealth over the last coupleof years since they've been
permitted to.
But again, they are notpermitted under those, under
those traditional telehealthrules.
You also have to have aqualifying technology, which is
an audio-video synchronousconnection, with some
exceptions, but but a lot ofthose audio only or telephone
only telehealth services will nolonger be permitted.
Um, and then the fifth elementis really there may not be a
(06:34):
change to that.
That is, it must be a qualifyingtelehealth service listed on the
CMS list.
Would not expect that to change.
That is not a statutory issue.
That's really a CMS policyissue.
So I wouldn't expect that tochange, but but that list has
grown substantially over thelast five years since COVID and
since the end of the PhE.
unknown (06:52):
Yeah.
SPEAKER_03 (06:52):
Let's talk a little bit about Medicare Advantage
because what we're reallytalking about is traditional
Medicare reimbursement.
Uh, what happens with MedicareAdvantage?
SPEAKER_01 (07:02):
So these rules don't expressly apply to Medicare
Advantage, and MedicareAdvantage should have a lot more
flexibility.
It's not necessarily bound bythese rules.
And MA plans can offersupplemental benefits that have
telehealth that um telehealth asan option that is not connected
to these traditional telehealthrules.
So there's still going to beflexibility with Medicare
Advantage uh rules.
(07:24):
And last time this happened backin September, CMS did issue
some, I forget if there wereadvisories or some sort of
transmittals that talked abouthow this applies to Medicare
Advantage plans.
And the Medicare Advantage planscan, in fact, provide
supplemental telehealth benefitsthat go above and beyond what
these statutory requirementswould be.
So I don't expect it to, youknow, to hit MA plans and their
beneficiaries directly and beand be a problem.
(07:47):
It's just, and frankly, youknow, I don't expect it to be a
problem in the industry becauseI do expect, and we do think
there's bipartisan support forthis to be extended.
There's just, frankly, a lot ofconfusion in the industry.
And every time one of thesecliffs starts coming up, then we
get a ton of questions fromtelehealth practitioners, from
providers, from technologycompanies on what it means.
(08:07):
And a lot of the a lot of theadvice I give, you know, when
we're leading up to these thingsis look, it's not going to be as
bad as we think it's going tobe.
Yes, that's a possibility, butwe we certainly expect for the
extensions to take place, but wecan't guarantee it.
SPEAKER_03 (08:23):
You know, there's been a lot of discussion.
I mean, sort of every time thiscomes up, which has been, you
know, uh over the past fiveyears, pretty frequently,
there's been a lot of discussionum about why uh Congress hasn't
just made telehealth permanentum and the flexibility is
(08:44):
permanent.
And I, you know, leading up tothe pandemic, there was a whole
lot of concern of misuse andoveruse of telemedicine, that
word old ladies would be callingtheir doctors, and that would
cost the Medicare system um anawful lot of money.
Um I'm not sure that, you know,I don't think that that has
proven itself to be true, butI'm also not sure that anybody's
(09:05):
really ready to say that, youknow, telehealth for all for you
know, all or most situations isreally what Medicare is going to
pay for going forward.
SPEAKER_01 (09:14):
Yeah, yeah, I think that's right.
Um and there was a lot ofdiscussion, I think, about about
the cost, exactly exactly whatyou said cost, the potential for
fraud, you know, how much isthis gonna cost the the
government if we allow if weallow Medicare to reimburse
telehealth in almost anysituation, the same as we're
we're reimbursing in-personservices.
(09:35):
Um, and then when COVIDhappened, um all of these
flexibilities immediately wentinto place.
Congress passed a statute thatum the CARES Act that opened up
these flexibilities, and thenCMS implemented it.
And so we had a bunch of theseflexibilities.
And frankly, for the firstcouple of months, telehealth did
shoot up because everyone wasstaying in their homes.
But as the world started openingback up, um the use of
(09:58):
telehealth has kind of leveledoff.
Um, but I think that the concernfrom Congress's perspective was
the data that we have for howtelehealth is used and how much
it costs us was during thepublic health emergency.
So we had three years up until Ithink May of 2023 of the public
health emergency when theseflexibilities were in place.
(10:19):
And we know how much telehealthwas used at that time, we know
how much it cost at that time.
And then I think what Congressreally wants to study now and to
understand is what does it looklike when we're not in a public
health emergency?
What does it look like whenwe're not in a pandemic?
And with these expandedflexibilities to provide um
Medicare telehealth, when we'renot in a pandemic, how much is
(10:41):
that going to cost us and howmuch do people actually use it?
But now it's 2026.
So now it's been almost threeyears of that non-pandemic,
non-public health emergency withthose flexibilities.
So I would imagine that theCongressional Budget Office and
Congress and CMS and all ofthese agencies that study these
issues have enough data orshould have enough data to
(11:02):
really understand how much it'sgonna cost and how much is it
actually used.
But at the same time, Congressjust has a lot of problems over
the last couple of months andover the last year in particular
of getting anything done.
So I think that's really ourobstacle now is not necessarily
having enough data to know howit's gonna be used and how much
it costs, but really gettingCongress to get their act
together and come together andpass something on a bipartisan
(11:25):
basis that's gonna be meaningfulfor the country that is
permanent and not just atemporary kick the can down the
road.
So that's I think that's theissue we're dealing with.
SPEAKER_03 (11:33):
Great.
Um, what about um Medicaid?
Are we seeing changes or issuesthat we should talk about in
Medicaid reimbursement uh for2026 and go beyond?
SPEAKER_01 (11:45):
Well, Medicaid, you know, it's state, it's primarily
state-driven.
It's not federally standardizedacross the states, and states do
have broad discretion todetermine exactly how they're
gonna reimburse for telehealthand what kind of what modalities
to cover, what providers canbill, and all of those issues we
talked about for Medicare.
And Medicaid for Medicaidprograms, the states largely
have their own ability todetermine when they're gonna pay
(12:07):
for Medicaid.
Sorry, when they're gonna payfor telehealth services through
the Medicaid program.
Um, you know, typically most, Ithink virtually all Medicaid
programs do reimburse telehealthto some extent.
Um, and we've seen a greatexpansion of that again since
the since the pandemic over thelast five years.
So if there's a lot more,there's been a lot more growth
(12:28):
in reimbursement in telehealthand some interesting things that
Medicare doesn't actually do,such as reimbursing uh
ambulances for providingtelehealth services or serving
as an originating site fortelehealth services when the
ambulance may not actuallytransport the person home.
There's some states that haveimplemented things like that.
So you're seeing some moreinnovation on the state Medicaid
(12:48):
side.
Um the problem is it's just areal patchwork, and that can be
a challenge for nationalhealthcare providers that are
providing services in everystate, and including states that
may be reimbursed or servicesthat may be reimbursed in
different states by Medicaid.
So, you know, that can bechallenging, but it also is you
know an opportunity and it'sgood to see that there's been
more expansion among a number ofdifferent states for Medicaid
(13:10):
and telehealth.
SPEAKER_03 (13:12):
How about um commercial insurance and their
approach to telehealth coverage?
Do you see that changing at allor expanding more?
SPEAKER_01 (13:20):
That, yeah, that has been expanding a lot.
I haven't seen, I've seen itexpanding, I think, with
commercial payers.
They've become more and more uhwarmed up to the idea of
reimbursing for telehealthservices and really considering
telehealth not as a specificunique service, but really as a
modality for service thatmirrors in-person care.
(13:40):
So a lot of commercial payershave been have been really
opening up.
But the one thing to talk aboutfor commercial insurance is is
again, it can be state-specific,not because necessarily the
commercial insurance plans, butbecause of the insurance laws in
the state.
And every state has some type ofum of parity law, but there's a
(14:01):
lot of different versions ofthem.
And the main, the main umversions, I guess, are coverage
parity versus payment parity.
And a lot of states have, or themajority of states have coverage
parity that say that if you ifyou, as a commercial healthcare
insurance plan, if you cover uhtelehealth services, or sorry,
if you cover a service that isin person, then you need to
(14:23):
cover if it's conducted viatelehealth as well.
But there's a lot of differentvariations on that.
Some STEM may say, well, unlessit's not clinically indicated or
there's certain exceptions.
So there's a lot of varieties ofthat, but that essentially is
where the state is requiring theplans to cover telehealth
services if they were to coverthem in person.
But where we have um, you know,much more adoption of telehealth
(14:45):
is in the states that havepayment parity.
And payment parity is where thestate insurance laws mandate
that the that the health planscover those telehealth services,
not just to the same extent thatthey would cover in-person
services, but at the same rate.
So they're getting paid the sameif it's via telehealth versus if
it's in-person.
Um, and in those states wherewhere providers are able to get
(15:08):
the same reimbursement ifthey're doing it, if they're
doing care remotely, in thosestates, we've seen really seen a
lot more um expansion oftelehealth, especially on the
commercial side.
SPEAKER_03 (15:19):
Um, what are the sort of challenges that
providers face um in navigatingthe differences between re and
reimbursement between Medicare,Medicaid, and commercial payers?
SPEAKER_01 (15:32):
That that in and of itself, I think, is the
challenge, right?
Because you've got a lot ofdifferent payers.
You've got Medicare, which isgoing back and forth, are these
extensions going to happen ornot?
We don't know.
Um we expect that they will, butbut it's still a big open
question.
So we've got Medicare on oneside, we've got Medicare
Advantage that has their ownunique rules, uses a lot of the
same billing and coding anddocumentation requirements as
(15:54):
traditional Medicare, butMedicare Advantage may have its
own rules and its ownsupplemental benefits.
Then we have commercial payersthat are kind of kind of can do
their do their own thing, andthose may look different state
to state depending on thosecoverage laws.
And then we have Medicaidprograms that again are all
different.
So I think that's really thechallenge for a lot of providers
is figuring out when and how youcan provide telehealth and
(16:17):
tailoring that or puttingtogether policies to make sure
that they're doing itappropriately, depending on who
the patient's payer is.
So that that that's part of thechallenge for providers that are
that are operating in all fourrealms, you know, Medicare, MA,
Medicaid, as well as commercialinsurance.
SPEAKER_03 (16:33):
Right.
That actually seems to happenmuch more on the telehealth
network side than it does, youknow, for any payers, any more
traditional providers becausethey tend to be more local.
SPEAKER_01 (16:45):
Exactly.
Exactly.
SPEAKER_03 (16:48):
Let's um switch our focus a little bit from
reimbursement to other otherissues with uh telehealth these
days.
Let's move on to privacy andsecurity, which are always a hot
topic in this area.
Um and I want to talk a littlebit about uh what what laws
actually apply to telehealthproviders.
SPEAKER_02 (17:07):
Thanks, Jen, and thanks for having me on.
So what laws apply to telehealthwith respect to privacy and
security?
The answer is plenty andseemingly more by the day.
Um so I'll kind of divide it upinto federal and state at the
federal level.
You of course have HIPAA as kindof the 800-pound gorilla in
medical privacy law.
Um, but while I think peopleassume that if you're a
(17:31):
healthcare provider, you'regoverned by HIPAA.
Um, that's not necessarily thecase due to the strange history
of HIPAA.
It actually only applies tohealthcare providers who
electronically transact withcertain administrative
transactions with health plans,which is certainly most
healthcare providers.
But um, you know, you may have adentist, you may have a
(17:54):
psychiatrist who is kind of outof pocket payments only.
And in telehealth, we see a lotof those.
We see a lot of telehealthproviders who are, you know, do
not accept insurance.
It's just, you know,$50 persession or whatever.
Um and so while consumers mayreadily assume that their
(18:15):
telehealth conversations aresubject to HIPAA, that may not
actually be the case.
Um and if anything, I thinkwe're seeing more and more of
this with things like umtelehealth providers that are
focused on prescribing GLP onedrugs or things like that.
You know, I think we continue tosee growth in the non-HIPAA
(18:36):
covered telehealth providerterritory.
Um next up at the federal levelis section five of the FTC Act,
which section five simply statesmore or less that um for-profit
entities may not conductdeceptive or unfair trade
practices.
(18:56):
Um doesn't mention privacy,doesn't mention security, but in
practice, the FTC has taken thatlanguage and said, well, if you
have a privacy policy and you'renot following it.
If you maintain poor security,those are potentially deceptive
and or unfair trade practices.
And so Section 5 has reallybecome the general umbrella, not
(19:20):
specific to healthcare, but ingeneral in the US of privacy and
security law.
So, you know, the FTC has becomeuh essentially the primary
general enforcer of privacy andsecurity in the US.
And um telehealth, to the extentthat a telehealth provider is a
for-profit entity, would besubject to Section 5.
(19:40):
And um, we have certainly seenthe FTC bring enforcement
actions um in healthcare.
And in 2024, in fact, we saw twodifferent enforcement actions
with respect to um telehealthproviders in particular related
to their websites disclosinginformation like uh disclosing
to Third party online trackingplatforms that Adam Green or you
(20:04):
know IP address X, you know, hasa subscription to our telehealth
service or something like that.
Um, so you know don'tunderestimate section five.
And then um we also have 42 CFRPart 2, um, which is a federal
law that governs theconfidentiality of substance use
(20:25):
disorder patient records.
Um, doesn't cover all substanceuse disorder records, it only
covers ones that start that arecreated by certain federally
assisted programs that generallyspeaking hold themselves out as
providing substance use disorderservices.
But a telehealth provider couldcertainly qualify as such if it,
(20:46):
for example, participates inMedicare or has registration to
dispense controlled substances,you know, those would make it
federally assisted.
And if it's potentially holdingitself out as providing
substance use disorder services,um including, you know, as part
of more general mental healthservices, that could bring in 42
(21:08):
CFR Part 2, which has beenaround at this point for over 50
years.
Um, we've actually never seen anenforcement action, to my
knowledge, um, in those 50years.
But February of this year, wehave new changes to 42 CFR Part
2 going into effect, includingHHS being able to apply HIPAA
(21:30):
penalties.
And so kind of the enforcementrisk, I think, is going up
significantly for part two.
So if you're a telehealthprovider and you're involved in
substance use disorder servicesat all, worth taking a close
look at whether part two mayapply to you.
So that's just the federallevel.
Then you've got the state level.
So we have good old-fashionedstate medical privacy laws.
(21:53):
So, you know, examples of thesewould be things like the
California ConfidentialityMedical Information Act or the
Texas Medical Records PrivacyAct.
So I would say, you know, maybehalf the states have general
medical privacy laws.
And these are oftentimesforgotten in the analysis, but
can be more stringent thanHIPAA.
And so if you're a telehealthprovider and you're operating in
(22:17):
one state, you definitely wantto know that state's medical
privacy law.
If you're a telehealth providerand you're operating nationally,
you want to know a hell a wholelot of um state medical privacy
laws and you know what may applywhere.
Um, so you've got those.
You also have state, what I'dcall sensitive condition laws.
So these date back to thingslike HIV test results may have
(22:42):
special protections and requirespecific authorization.
Uh, genetic information may havespecial protections.
Um more recently, though, um,the you know, we've been seeing
the past three or four yearsafter the Dobbs decision, um,
reproductive health care,gender-affirming care, there may
(23:02):
be special protections attachedto those.
So if you're a telehealthprovider and you potentially
have any of information aboutany of these sensitive
conditions, then additionalauthorization requirements, for
example, might apply.
Or even we're starting to seerestrictions on being able to
disclose information out of onestate into another, as there's
(23:24):
kind of a battle between statesof those who permit, for
example, abortion and want toprotect that information versus
those who ban it andpotentially, you know, want to
take uh you know, want to takeaction with respect to when
their residents travel to otherstates.
So on top of that, you also havestate telehealth-specific laws
(23:48):
that may uh come into play.
So a few states will have lawson privacy or security specific
to telehealth.
And then finally, we have thisgrowing number of state consumer
privacy laws, like theCalifornia Consumer Privacy Act,
and all of those exempt PHIthat's subject to HIPAA.
But going back to the start ofthis conversation, if you are a
(24:10):
telehealth provider who's notsubject to HIPAA, you have to
look at whether you could besubject to one of those state
laws.
And that's the laws that are ineffect today.
There's certainly been talk offederal legislation that could
potentially close the gaps whenentities are outside of HIPAA.
And we continue to see eitherchanges to the recently enacted
(24:32):
state consumer privacy laws ormore state consumer privacy
laws.
So, yes, as Sean mentioned, thiswas being recorded January 15th,
might be out of date by January20th.
We'll see, as this is aconstantly evolving area.
SPEAKER_01 (24:48):
There's one other one other thing that I want to
throw out, and Adam, you bringup a good point by by addressing
the consumer protection andconsumer privacy laws, is I
often get this isn't atelehealth-specific law, but I
also often get questions fromtelehealth providers about the
TCPA, Telephone ConsumerProtection Act.
Um, and I'm not necessarily aTCPA lawyer.
I can answer some of thosequestions and some I refer out,
(25:09):
but a lot of telehealthproviders also are maintaining
active relationships with theirpatients, their consumers, or
even with potential consumers byengaging in outreach campaigns
with text messages or automatedphone calls or things like that.
So we do get a lot of questionson TCPA compliance from
telehealth providers as well.
So I just wanted to throw thatout there.
SPEAKER_02 (25:29):
Good point.
And you know, there's a SupremeCourt decision that kind of
limited the application of TCPA,kind of clarifying what
qualifies as automatic telephonedialing systems.
But not all plaintiff's firmshave necessarily gotten the memo
on that.
And so it still continues to bea hot area.
And then, you know, same sort offederal state divide, even if
(25:50):
you're not subject to federalTCPA, we're seeing a growing
number of what are sometimesreferred to as mini TCPA laws in
the states that sometimes havebroader reach than the federal
TCPA.
So, yes, if you're texting, ifyou're doing any autodialing,
mostly texting in this case, youknow, those laws are definitely
good ones to take a close lookat.
SPEAKER_03 (26:13):
You know, it's interesting because I think in
the olden days, which isprobably, I don't know, 10 years
ago or um or or maybe morerecently than that, even before
some all of these state laws uhstarted springing up on uh
privacy and and uh consumerprotection, you know, I think
(26:34):
people took the position thatespecially direct-to-consumer
telehealth providers who werenot subject to HIPAA, they would
say, okay, great, you know, I'lljust be subject to state law,
and HIPAA was the 2,000-poundgorilla that they didn't want to
have to comply with.
Um, but now, because it's thereare so many and they're so
varied, and frankly, some aremore stringent, um, but many
(26:57):
have an exception for HIPAAcovered entities.
We're seeing a lot of um uhclients or telehealth providers
who you know historically wouldhave taken the position or would
have would like to, if theycould pick and choose, say that
they were not um coveredentities.
But now they're asking, can wecan we choose to be a covered
(27:18):
entity even if we aren't?
Because we'd rather, you know,for have HIPAA apply to us and
potentially um preempt some ofthese, some of these state laws
at least, than um you know haveto be subject to all of these
other um potentially movingtargets.
So it's an interesting,interesting place that we're in
right now.
SPEAKER_02 (27:38):
Yeah, that's a really good point.
I would say Washington's MyHealth, My Data Act, and then
the Nevada equivalent, um, thatone arguably the most uh the
most stringent privacy law um inthe country, at least in certain
respects.
Um New York almost took thatcrown recently, but um with its
own New York HIPAA spelleddifferently, just to confuse
(28:00):
things further.
But that did that got vetoed bythe governor.
But yeah, I had this similarexperience where Ebon was doing
everything they could to, youknow, stay out of HIPAA
coverage.
But then when they realized howlimiting My Health, My Data Act
was, um, which does have anexception for PHI governed by
HIPAA, suddenly theyreconsidered that and said, you
(28:22):
know, maybe HIPAA is not so badafter all.
SPEAKER_03 (28:26):
Well, I'm not sure that you can just opt, you know,
that is a question that we keephaving.
Um, you know, can you opt intoHIPAA even if you're not really
a covered entity?
You know, um, and that's I'm notsure anybody really knows the
answer.
I think the federal governmentmight consider you, you know,
enforce HIPAA against you if youchoose to call yourself a
(28:46):
covered entity.
But I'm not sure that thatnecessarily gets you out of the
state law issues.
SPEAKER_02 (28:50):
Yeah, but all it takes is one.
So in the sense that's um oneclaim, right?
Yeah, I I think you knowarguably by definition, you're
not subject to HIPAA if you're ahealthcare provider that doesn't
do any electronic transactionswith health plans, but hey,
submit one healthcare claim to ahealth plan and congratulations,
you're a covered entity, notjust with respect to that
(29:11):
transaction, but that's right.
Yeah, and no one's figured outwhen that ends, frankly.
SPEAKER_03 (29:18):
Yep, we'll see all sorts of people just doing that
for for one.
Um are there some um HIPAA orother privacy issues that you
see that are specific totelehealth and not just to
healthcare providers in general?
SPEAKER_02 (29:34):
So one I see a lot of is kind of the interplay of
corporate practice of medicineand HIPAA's organizational
structures.
So, you know, I think what Ioftentimes see with telehealth
providers is a you know one ormore professional corporations.
Um, and then the the the truetelehealth provider is actually
(29:57):
kind of a management companythat's doing all the
administrative decisions, butyou know, pursuant of the
corporate practice of medicine,then of the clinical decisions.
And so the way that canoftentimes play out is the PCs,
the professional corporations,those are the covered entities,
versus the telehealth provider,which oftentimes the lawyer's
(30:20):
you know client, um, is actuallynot the covered entity, but is
actually a business associate,maybe even both, you know,
depending on the circumstances.
Maybe they're able to practicein some states, but elsewhere
they can't.
And so they act as the businessassociate to separate
professional corporations.
And so, you know, there you wantto kind of, you know, you don't
(30:43):
want to be thinking about itfrom the standpoint of, oh,
we've got you know 10 differentprofessional corporations, which
are 10 completely independentcovered entities.
So one thing that makes senseunder HIPAA is oftentimes to
establish them as what'sreferred to as an affiliated
covered entity, or an ACE forshort, um, where essentially
covered entities who have commonownership, which would generally
(31:07):
not be the case here, or acommon control with a very, very
loose definition under HIPAA ofwhat qualifies as common control
can designate as an affiliatecovered entity as an ace and be
treated more or less as onecovered entity.
And so if you're kind of a, I'dcall it a telehealth ecosystem
with kind of the platformprovider, you know, platform
(31:29):
slash management company and thePCs, um, you don't want to be
thinking about these as, youknow, okay, I've got
professional corporation A'smedical records, which are
completely have to be keptseparate from professional
corporation B's medical records.
So there's a lot of value todesignate as an ace, which the
practical result is you get totreat all of the healthcare
(31:51):
providers as if they'reessentially a single covered
entity.
But then you also have toremember to have that business
associate agreement in place.
Um it's counterintuitive becausethe business associate, the
management company, uh, youknow, they they may be
essentially in charge.
Um, but from the standpoint ofHIPAA, they're lower on the
(32:13):
ladder.
They're the business associateto the professional
corporations, to the coveredentities.
Um, and so sometimes it getsforgotten that you know the one
calling the shots needs to havea business associate agreement
where they're you knowtechnically kind of beholden to
those professional corporationsas the covered entities.
Um that would definitely be oneset of unique issues, I think,
(32:37):
you know, not truly unique, butsomething that I see popping up
in telehealth a lot more thanelsewhere.
Um, and so you know, make sureyou have all your, you know, all
that requires the appropriatedocumentation.
So your ACE designation, yourbusiness associate agreement,
that sort of thing.
SPEAKER_01 (32:54):
And and I see a lot of providers that overlook that,
frankly, is even even you know,large national healthcare
providers that that don't quitegrasp that yes, we actually are
a bunch of separate legalentities, including multiple
professional corporations.
And in many cases, you have tohave multiple professional
corporations because there aresome states like like California
and New Jersey and a few otherstates, depending on the
(33:15):
profession, where you have tohave a domestic professional
corporation in order to provideservices in that state.
So you've got these nationalcompanies with multiple PCs or
PLLCs.
Um, and and really the solutionfor that is just like you said,
uh Adam, is doing an ACEdesignation.
And then what I've also seen issometimes maybe it's a belt and
suspenders approach, but alsodoing an OCA, an organized
(33:36):
healthcare arrangement, which isvery similar to an ACE, but it's
it's slightly different, but itstill allows multiple covered
entities to be able to sharePHI.
Um, and then just like you said,you really want to treat the
entire enterprise, even if it'scomposed of PCs and a management
company.
You kind of want to they want totreat the business as a single
(33:57):
business.
So having that ACE designationor even an ACE and an OCA
designation allows you todevelop sort of a single set of
HIPAA policies, privacypolicies, and security policies
that can apply to the entirebusiness instead of really
having distinct separate HIPAAcompliance programs for every
single legal entity.
SPEAKER_03 (34:14):
Yeah, we've had a lot of a lot of discussion
around that um as well.
Sort of how to how to simplify,and you know, you're right that
it's often true that it's theplatform that is engaging
counsel or that considers itselfthe business.
But of course, that's not howthe money flows either because
of corporate practice ofmedicine.
So it becomes a big, you know,sort of making sure everything
(34:35):
is documented appropriately, andbecause of corporate practice of
medicine, sort of who's doingwhat for who, um, that that's uh
clearly um described um indocuments is important as well.
SPEAKER_02 (34:48):
Yeah.
And then after you've done allthat, make sure you don't have
HIPAA blinders on because um,unless a state specifically says
if it's fine under HIPAA, it'sfine under our state law.
There, I don't think you'll finda single state medical privacy
law that makes reference to anaffiliated covered entity or an
oak or anything like that.
So all those things are kind ofessential for HIPAA, but may
(35:10):
have no bearing whatsoever atthe state law level.
So you have to make sure thatyou're still complying with
state law.
SPEAKER_03 (35:17):
Can be complicated for sure.
Let's talk a little bit aboutsecurity.
Um, are there uh specific thingsthat you would recommend or
specific requirements that youcan think of that are specific
to telehealth?
Obviously, sort of security andprivacy go hand in hand.
SPEAKER_02 (35:33):
Yeah.
So, you know, first of course,there's the security rule in
general.
And so roughly 50 uh differentstandards and implementation
specifications, and you know, uhevery healthcare provider has
challenges meeting you know thesecurity rule, you know, day in,
day out.
So, you know, don't you knowdon't ignore the the generic
(35:56):
stuff um to start off with.
Um and this year we may see thefirst significant changes to the
security rule really since itwas enacted, other than the 2013
change to extend it to businessassociates.
And so, you know, if you're atelehealth provider compliant
with the security rule today,you may not be compliant by the
(36:19):
end of 2026, um, you know, basedon those changes.
Um but then more specific totelehealth, you know, one is
making sure you have a secure,compliant telehealth platform.
So we saw, for example, whentelehealth first started under
COVID, um, OCR you know did anotice of enforcement discretion
(36:41):
essentially stating we're notgoing to enforce if you don't
comply with certain safeguardswith respect to your choice of
telehealth platforms, forexample.
So if it wasn't signing abusiness associate agreement,
that was not necessarily fatal.
That's long gone.
That's years behind us.
So you know, make sure thatyou're not using, you know, kind
(37:03):
of generic consumer grade videoconferencing, but rather you
have an appropriate corporategrade, you know, secure solution
in which the vendor, if they'regoing to have any access to
protected health information, issigned a business associate
agreement.
So that's one area.
Another one, you know, don't bestupid.
(37:24):
Um a little bit of common sensegoes a long way.
Um, so you you would think youwouldn't have to say it, but you
know, don't take telehealthcalls if you're the provider on
a crowded subway, um, or evenlike, you know, in a in your
home in a place where familymembers can hear everything
you're saying.
So, you know, no matter whereyou're working, you have to
(37:47):
treat that as a securehealthcare provider location.
Um, even though, yes, it iseasier than ever to do
telehealth anywhere, you know,to pick up that call while, you
know, at the boarding gate atthe airport or something like
that.
But, you know, be cognizant thatyou you are subject to the
security rule wherever you aretaking that call, essentially.
(38:10):
Um, and then finally, um, youknow, this is not specific to
telehealth providers, but as Imentioned earlier, we've seen a
few enforcement actions in thisarea.
Um, as a telehealth provider,you likely have a website and
rely on it heavily.
Um, understand what informationis flowing from your website,
you know, pixels, you know, overto Google Analytics or whatever.
(38:31):
Um, and that all that iscompliant with HIPAA and
compliant with your privacypolicies, because you know, we
have seen, you know, in 2024under the last administration,
um, the FTC looked at telehealthproviders and others at their
website practices.
We don't know whether under thenew current administration um
(38:53):
the FTC is gonna continue withthat focus.
But um, you know, if even if theFTC doesn't, there are plenty of
class action attorneys who arehappy to look at your website
for you.
And if they see informationflowing, happy to bring
litigation and hope for a quick,nice settlement.
Um, so don't forget about thosewebsite disclosures.
SPEAKER_03 (39:13):
I'm gonna put a plug-in for doing um security
risk assessments as well.
We've certainly seen someenforcement um on clients'
behalf.
And you know, if you ever areinvestigated by OCR, the first
thing that they're gonna ask youfor is your security risk
assessment.
And if you can't provide one,um, they're gonna find that you
(39:34):
know they just consider that abest practice or just not even a
best practice, a requiredpractice for entities in the
healthcare industry.
And so if you don't have one,you're likely to pay some fines
and see some complianceenforcement.
SPEAKER_02 (39:48):
Yep, absolutely.
There's about, you know, as Imentioned earlier, like 50
standards and implementationspecifications, but not all of
them are created equal.
And that risk analysisimplementation specification,
OCR, the Office for.
civil rights at HHS considers itfoundational to your entire
security rule complianceprogram.
And if you look at you know theminority of cases that have gone
(40:12):
to financial settlement or civilmonetary penalties, those that
don't relate to private privacyright of access, you know, I
would say the number two issuetends to be on the security rule
side, lack of a risk analysis.
And through multipleadministrations, they've had
risk analysis listed as theirnumber one priority in
(40:34):
enforcement.
So absolutely, you know, and asa telehealth provider, your
risks are going to be entirelydifferent than the risks facing
a brick and mortar healthcareprovider.
And so your risk analysis shouldreflect those unique set of
risks.
SPEAKER_03 (40:53):
We've uh we've talked a little bit about some
other compliance risks alreadyjust in this conversation like
corporate practice of medicine,things that you have to think
about as a telehealth provider.
Are there other things that weshould um mention here that that
you guys would like to discuss?
There's one one thing that we'veum I know we've all talked about
(41:13):
before was Medicare enrollmentfor a multi-state provider.
Do you guys want to weigh in alittle bit on that?
The issue you know tends to bethat number one, telehealth
providers operate in multiplestates and Medicare still
requires enrollment on a stateby state basis.
(41:34):
And then also the Medicareregulations for enrollment the
requirements for enrollmentrequire you know sort of
practice location informationand operational information and
oftentimes there is no physicalbrick and mortar location for a
telehealth provider.
What do you guys do or recommendin those situations?
SPEAKER_01 (41:58):
You know it's it's really a challenge for for
healthcare providers that areoperating telehealth practices
that are providing services inalmost every state um especially
because they may not have abrick and mortar location and
they certainly if they'retelehealth only provider they
certainly are not seeingpatients in those locations.
But CMS doesn't necessarilyrequire that you have locations
(42:20):
that people that patients cancome in and actually be treated.
These locations just have to beoperational and and they don't
have to be operational 24-7 oranything like that.
But what they really expect isthat you've got an address a
physical address in each statethat the that that address at
that location is operational,whether it be an office location
(42:42):
or even a home location for aphysician if they're providing
services out of their home andthat and that really the the
information that you provideabout that location that it's
accurate.
So that's kind of the key thingsbut the problem is there's you
know Medicare surveyors this israre but they certainly can show
up and and do a survey and ifthey show up and do a survey
they're going to be looking fora lot of other things they're
(43:03):
going to be looking for signageand they're going to be looking
for staff and they're going tobe looking for you know posted
office hours and stuff likethat.
So that can be a challenge forfor telehealth providers but my
advice typically is to try toget an address in each state.
If that needs to be the personaladdress of a physician and then
that can work.
There's been a flexibility overagain it was related to COVID
(43:27):
for providers to be able to notnecessarily have to enroll their
home locations but even if theydidn't enroll their home
locations then they still had tohave a practice location or a
primary practice location stillin that state that they were
reporting the services from.
So best practice is still goingto be to have a practice
location with an address inevery state even if you're not
(43:47):
providing services out of itevery day and even if you can't
see patients in person in thatlocation.
But you need to get an address.
And then and then if if you doneed to use a provider's home
address there is now a anability to mask that if you
report it as an administrativeonly site or a telehealth site
then then that the addressitself for privacy reasons I
(44:11):
believe is masked from thingslike the NPI database or the
provider enrollment record.
So that's not available to thepublic um but it still certainly
is a challenge to to deal withthose with those rules that are
really designed aroundtraditional in-person brick and
mortar locations.
SPEAKER_03 (44:26):
Yeah we had exactly that situation recently um where
an investigator went to the youknow cited physical location
which was some we work space oryou know that that um and that
didn't didn't cut it um andwe've seen the same thing happen
when it's a PO box you know likethat that doesn't work either.
SPEAKER_01 (44:47):
Yeah they want it they want a physical location
I've had some some luck using awe work space or a regis space
or those those types oftemporary you know rented office
locations but you still have tomake sure that it's an
operational space and sometimesyou have to you have to provide
an explanation to the Medicaresurveyor.
Yep with that I think um we'rekind of getting to the end of
(45:11):
our time so um do you guys haveanything else you want to
discuss before we sign off Idon't I don't think nothing
necessarily I think we'vecovered a lot of interesting
issues you know there's a lot ofcompliance issues and that come
along with telehealth just youknow the ones we've spoken about
reimbursement privacy andsecurity corporate practice of
(45:31):
medicine is always a challenge.
And then I guess the other onething that that can be difficult
but certainly you can deal withis establishing provider
relationships remotely.
If you don't already have arelationship with that patient,
the provider does not then eachstate has different standards or
criteria for what you can do tocreate to establish that patient
(45:52):
relationship remotely viatelehealth.
So make sure if you're operatingin a state or a number of
different states that you'reaware of or advising clients
that they are aware that theremay be different standards for
establishing that relationshipin different states.
But otherwise this has been agreat discussion I think we've
covered a lot of topics andhopefully it's been helpful to
everybody.
SPEAKER_03 (46:11):
Thanks you guys so much for participating.
SPEAKER_01 (46:13):
Thank you.
SPEAKER_00 (46:14):
Take care thanks Jen thank you if you enjoyed this
episode be sure to subscribe toAHLA Speaking of Health Law
wherever you get your podcast.
For more information about AHLAand the educational resources
available to the health lawcommunity visit
americanhealthlaw.org and stayupdated on breaking healthcare
(46:38):
industry news from the majormedia outlets with AHLA's health
law daily podcast exclusivelyfor AHLA comprehensive members.
To subscribe and add thisprivate podcast feed to your
podcast apps go toamericanhealthlaw.org slash
daily podcast
This episode of AHLA Speaking of Health Law is
brought to you by AHLA membersand donors like you.
For more information, visitamericanhealthlaw.org.
SPEAKER_03 (00:17):
So, hello.
Today we're um talking about uhAHLA's new telehealth law
handbook.
Um I am the editor of the thirdedition that just came out, and
I am here today with some of myco-authors.
Um I'm Jennifer Brewer, uhpartner at Pagree Drinker in our
Chicago office.
(00:37):
I'm here also with Adam Green, apartner with at Davis Wright and
Tremaine in the DC office, andSean Sullivan, a partner in
Austin and Bird's Atlantaoffice.
We're going to be talkingthrough some hot topics in
telehealth, um, some of whichwere discussed in the book, and
some of which are just timelythings that have come up in our
(00:58):
practices.
Um, let's start withreimbursement, since here we are
in the middle of January, and weknow that there are some
potential significant changescoming.
Um let's start there.
Sean, do you want to talk alittle bit about what happens,
what's happening today and whatmight or might not happen on
January 31st?
SPEAKER_01 (01:17):
Yeah, sure, sure.
So uh so thanks for having me,Jen, and appreciate you know,
AHLA had had this opportunity touh to do this podcast.
But we're kind of in aninteresting time right now, and
frankly, it's been it's beenkind of an interesting time over
the last five years since theCOVID-19 pandemic and the public
health emergency and the end ofthe public health emergency.
But we are recording this onJanuary 15th.
(01:40):
Um, the the current budget andum and funding for the
government extends throughJanuary 30th, uh January 30th,
2026.
And the way that the government,the way that Congress has been
extending these telehealthflexibilities that have been in
place since the beginning ofCOVID has really been through
the um through the through thecontinuing resolutions that have
(02:03):
extended the budget and fundedthe government.
So that means that because rightnow we only have funding of the
government through January 30th,2026, that means that all of the
COVID-19 related Medicaretelehealth flexibilities that
have been in place for the lastfive plus years, those will go
away as of January 30th, 2026.
So absent any additionallegislation, the Medicare
(02:25):
telehealth policy essentiallysnaps back to those pre-COVID-19
rules, bring back things likegeographic and originating site
requirements, um, who canactually provide, who are the
eligible providers to be able toprovide telehealth services,
certain in-person requirementsfor mental health services, um,
maybe even audio-only servicesmay go away.
(02:46):
So all of those will snap backto what was previously the
traditional Medicarerequirements for providing
telehealth.
And so this is, I mean, this isa you know, serious concern, a
serious problem.
It's really a core strategic oroperational concern for a lot of
telehealth companies on what todo after January 30th.
But that said, this has been aproblem that we've been
encountering every six months orso for the last couple of years.
SPEAKER_03 (03:10):
Um, any any insights or thoughts on what might happen
um in the next couple of weeks?
SPEAKER_01 (03:16):
Well, yeah, I can um, I mean, I expect, and I know
that there is broad bipartisansupport for extending the
telehealth flexibilities.
So I would expect that anybudget that is passed would
include extension of thosetelehealth flexibilities.
But that said, I just don't knowif there's going to be a budget
passed by January 30th, 2026.
And the way that Congress hasbeen going the last couple of
(03:37):
years, especially just over thelast year, is we get right up to
these um, you know, budgetdeadlines and Congress fails to
fails to pass anything or passessomething at the very last day.
But to the extent that somethingdoes get passed, I would expect
there to be telehealthflexibilities, an extension of
that.
I don't expect for it to bepermanent yet, although I think
(03:57):
everybody in the industry wouldlove for us to have those those
telehealth flexibilitieseventually made permanent, but
there's been a lot of reluctanceto to ultimately make those um,
you know, make those telehealthflexibilities permanent.
So I expect another extension togo along with the budget.
The big question on my side isis that budget going to be
passed and when would it bepassed?
And there may be some some lagperiod between when the
(04:19):
government may actually shutdown, between when those
telehealth flexibilities go awayand when they may be you know
reenacted.
SPEAKER_03 (04:27):
Right.
Um do you think that uh weshould expect um any any let's
talk a little bit about and whatwe're really talking about here
is Medicare, of course, um andand Medicaid um things that the
government pays for.
We know that a lot of telehealthhas moved to direct-to-consumer.
(04:47):
Um, and that really means atleast for for Medicare covered
services, many of those servicesaren't covered by Medicare
anyway.
Um and right, they don't theydon't take take cash pay
reimbursement, but for moretraditional telehealth
providers, this is going to be abig, a big change since over the
past you know several years,we've been able to see our
(05:08):
doctors and clinicians have beenable to get reimbursement for
that from anywhere.
Um, if we go back to thepre-2020 days, um, we're really
back to you know uhreimbursement only in for for uh
telehealth services only inrural rural communities, right?
And only when people actuallyshow up at facilities.
SPEAKER_01 (05:30):
That's right.
We'd be snapping back to thoseoriginal traditional pre-COVID
uh requirements.
And essentially, um, you know,this has been talked about
before, but those are there'sessentially five traditional
Medicare telehealthrequirements.
The originating site needs to besomewhere other than the
patient's home.
It has to be an eligibleoriginating site, like a
physician practice or a hospitalor a nursing facility.
(05:51):
Also, that originating site hasto be in a rural area.
So you can't provide telehealththat's reimbursed by Medicare in
a city, which is a significantlimitation.
There's also a bunch, there's alist of practitioners that can
provide telehealth.
It does not include therapistslike physical therapists,
occupational therapists, speechlanguage pathologists, and those
types of practitioners have beendoing a lot of a lot of
(06:12):
telehealth over the last coupleof years since they've been
permitted to.
But again, they are notpermitted under those, under
those traditional telehealthrules.
You also have to have aqualifying technology, which is
an audio-video synchronousconnection, with some
exceptions, but but a lot ofthose audio only or telephone
only telehealth services will nolonger be permitted.
Um, and then the fifth elementis really there may not be a
(06:34):
change to that.
That is, it must be a qualifyingtelehealth service listed on the
CMS list.
Would not expect that to change.
That is not a statutory issue.
That's really a CMS policyissue.
So I wouldn't expect that tochange, but but that list has
grown substantially over thelast five years since COVID and
since the end of the PhE.
unknown (06:52):
Yeah.
SPEAKER_03 (06:52):
Let's talk a little bit about Medicare Advantage
because what we're reallytalking about is traditional
Medicare reimbursement.
Uh, what happens with MedicareAdvantage?
SPEAKER_01 (07:02):
So these rules don't expressly apply to Medicare
Advantage, and MedicareAdvantage should have a lot more
flexibility.
It's not necessarily bound bythese rules.
And MA plans can offersupplemental benefits that have
telehealth that um telehealth asan option that is not connected
to these traditional telehealthrules.
So there's still going to beflexibility with Medicare
Advantage uh rules.
(07:24):
And last time this happened backin September, CMS did issue
some, I forget if there wereadvisories or some sort of
transmittals that talked abouthow this applies to Medicare
Advantage plans.
And the Medicare Advantage planscan, in fact, provide
supplemental telehealth benefitsthat go above and beyond what
these statutory requirementswould be.
So I don't expect it to, youknow, to hit MA plans and their
beneficiaries directly and beand be a problem.
(07:47):
It's just, and frankly, youknow, I don't expect it to be a
problem in the industry becauseI do expect, and we do think
there's bipartisan support forthis to be extended.
There's just, frankly, a lot ofconfusion in the industry.
And every time one of thesecliffs starts coming up, then we
get a ton of questions fromtelehealth practitioners, from
providers, from technologycompanies on what it means.
(08:07):
And a lot of the a lot of theadvice I give, you know, when
we're leading up to these thingsis look, it's not going to be as
bad as we think it's going tobe.
Yes, that's a possibility, butwe we certainly expect for the
extensions to take place, but wecan't guarantee it.
SPEAKER_03 (08:23):
You know, there's been a lot of discussion.
I mean, sort of every time thiscomes up, which has been, you
know, uh over the past fiveyears, pretty frequently,
there's been a lot of discussionum about why uh Congress hasn't
just made telehealth permanentum and the flexibility is
(08:44):
permanent.
And I, you know, leading up tothe pandemic, there was a whole
lot of concern of misuse andoveruse of telemedicine, that
word old ladies would be callingtheir doctors, and that would
cost the Medicare system um anawful lot of money.
Um I'm not sure that, you know,I don't think that that has
proven itself to be true, butI'm also not sure that anybody's
(09:05):
really ready to say that, youknow, telehealth for all for you
know, all or most situations isreally what Medicare is going to
pay for going forward.
SPEAKER_01 (09:14):
Yeah, yeah, I think that's right.
Um and there was a lot ofdiscussion, I think, about about
the cost, exactly exactly whatyou said cost, the potential for
fraud, you know, how much isthis gonna cost the the
government if we allow if weallow Medicare to reimburse
telehealth in almost anysituation, the same as we're
we're reimbursing in-personservices.
(09:35):
Um, and then when COVIDhappened, um all of these
flexibilities immediately wentinto place.
Congress passed a statute thatum the CARES Act that opened up
these flexibilities, and thenCMS implemented it.
And so we had a bunch of theseflexibilities.
And frankly, for the firstcouple of months, telehealth did
shoot up because everyone wasstaying in their homes.
But as the world started openingback up, um the use of
(09:58):
telehealth has kind of leveledoff.
Um, but I think that the concernfrom Congress's perspective was
the data that we have for howtelehealth is used and how much
it costs us was during thepublic health emergency.
So we had three years up until Ithink May of 2023 of the public
health emergency when theseflexibilities were in place.
(10:19):
And we know how much telehealthwas used at that time, we know
how much it cost at that time.
And then I think what Congressreally wants to study now and to
understand is what does it looklike when we're not in a public
health emergency?
What does it look like whenwe're not in a pandemic?
And with these expandedflexibilities to provide um
Medicare telehealth, when we'renot in a pandemic, how much is
(10:41):
that going to cost us and howmuch do people actually use it?
But now it's 2026.
So now it's been almost threeyears of that non-pandemic,
non-public health emergency withthose flexibilities.
So I would imagine that theCongressional Budget Office and
Congress and CMS and all ofthese agencies that study these
issues have enough data orshould have enough data to
(11:02):
really understand how much it'sgonna cost and how much is it
actually used.
But at the same time, Congressjust has a lot of problems over
the last couple of months andover the last year in particular
of getting anything done.
So I think that's really ourobstacle now is not necessarily
having enough data to know howit's gonna be used and how much
it costs, but really gettingCongress to get their act
together and come together andpass something on a bipartisan
(11:25):
basis that's gonna be meaningfulfor the country that is
permanent and not just atemporary kick the can down the
road.
So that's I think that's theissue we're dealing with.
SPEAKER_03 (11:33):
Great.
Um, what about um Medicaid?
Are we seeing changes or issuesthat we should talk about in
Medicaid reimbursement uh for2026 and go beyond?
SPEAKER_01 (11:45):
Well, Medicaid, you know, it's state, it's primarily
state-driven.
It's not federally standardizedacross the states, and states do
have broad discretion todetermine exactly how they're
gonna reimburse for telehealthand what kind of what modalities
to cover, what providers canbill, and all of those issues we
talked about for Medicare.
And Medicaid for Medicaidprograms, the states largely
have their own ability todetermine when they're gonna pay
(12:07):
for Medicaid.
Sorry, when they're gonna payfor telehealth services through
the Medicaid program.
Um, you know, typically most, Ithink virtually all Medicaid
programs do reimburse telehealthto some extent.
Um, and we've seen a greatexpansion of that again since
the since the pandemic over thelast five years.
So if there's a lot more,there's been a lot more growth
(12:28):
in reimbursement in telehealthand some interesting things that
Medicare doesn't actually do,such as reimbursing uh
ambulances for providingtelehealth services or serving
as an originating site fortelehealth services when the
ambulance may not actuallytransport the person home.
There's some states that haveimplemented things like that.
So you're seeing some moreinnovation on the state Medicaid
(12:48):
side.
Um the problem is it's just areal patchwork, and that can be
a challenge for nationalhealthcare providers that are
providing services in everystate, and including states that
may be reimbursed or servicesthat may be reimbursed in
different states by Medicaid.
So, you know, that can bechallenging, but it also is you
know an opportunity and it'sgood to see that there's been
more expansion among a number ofdifferent states for Medicaid
(13:10):
and telehealth.
SPEAKER_03 (13:12):
How about um commercial insurance and their
approach to telehealth coverage?
Do you see that changing at allor expanding more?
SPEAKER_01 (13:20):
That, yeah, that has been expanding a lot.
I haven't seen, I've seen itexpanding, I think, with
commercial payers.
They've become more and more uhwarmed up to the idea of
reimbursing for telehealthservices and really considering
telehealth not as a specificunique service, but really as a
modality for service thatmirrors in-person care.
(13:40):
So a lot of commercial payershave been have been really
opening up.
But the one thing to talk aboutfor commercial insurance is is
again, it can be state-specific,not because necessarily the
commercial insurance plans, butbecause of the insurance laws in
the state.
And every state has some type ofum of parity law, but there's a
(14:01):
lot of different versions ofthem.
And the main, the main umversions, I guess, are coverage
parity versus payment parity.
And a lot of states have, or themajority of states have coverage
parity that say that if you ifyou, as a commercial healthcare
insurance plan, if you cover uhtelehealth services, or sorry,
if you cover a service that isin person, then you need to
(14:23):
cover if it's conducted viatelehealth as well.
But there's a lot of differentvariations on that.
Some STEM may say, well, unlessit's not clinically indicated or
there's certain exceptions.
So there's a lot of varieties ofthat, but that essentially is
where the state is requiring theplans to cover telehealth
services if they were to coverthem in person.
But where we have um, you know,much more adoption of telehealth
(14:45):
is in the states that havepayment parity.
And payment parity is where thestate insurance laws mandate
that the that the health planscover those telehealth services,
not just to the same extent thatthey would cover in-person
services, but at the same rate.
So they're getting paid the sameif it's via telehealth versus if
it's in-person.
Um, and in those states wherewhere providers are able to get
(15:08):
the same reimbursement ifthey're doing it, if they're
doing care remotely, in thosestates, we've seen really seen a
lot more um expansion oftelehealth, especially on the
commercial side.
SPEAKER_03 (15:19):
Um, what are the sort of challenges that
providers face um in navigatingthe differences between re and
reimbursement between Medicare,Medicaid, and commercial payers?
SPEAKER_01 (15:32):
That that in and of itself, I think, is the
challenge, right?
Because you've got a lot ofdifferent payers.
You've got Medicare, which isgoing back and forth, are these
extensions going to happen ornot?
We don't know.
Um we expect that they will, butbut it's still a big open
question.
So we've got Medicare on oneside, we've got Medicare
Advantage that has their ownunique rules, uses a lot of the
same billing and coding anddocumentation requirements as
(15:54):
traditional Medicare, butMedicare Advantage may have its
own rules and its ownsupplemental benefits.
Then we have commercial payersthat are kind of kind of can do
their do their own thing, andthose may look different state
to state depending on thosecoverage laws.
And then we have Medicaidprograms that again are all
different.
So I think that's really thechallenge for a lot of providers
is figuring out when and how youcan provide telehealth and
(16:17):
tailoring that or puttingtogether policies to make sure
that they're doing itappropriately, depending on who
the patient's payer is.
So that that that's part of thechallenge for providers that are
that are operating in all fourrealms, you know, Medicare, MA,
Medicaid, as well as commercialinsurance.
SPEAKER_03 (16:33):
Right.
That actually seems to happenmuch more on the telehealth
network side than it does, youknow, for any payers, any more
traditional providers becausethey tend to be more local.
SPEAKER_01 (16:45):
Exactly.
Exactly.
SPEAKER_03 (16:48):
Let's um switch our focus a little bit from
reimbursement to other otherissues with uh telehealth these
days.
Let's move on to privacy andsecurity, which are always a hot
topic in this area.
Um and I want to talk a littlebit about uh what what laws
actually apply to telehealthproviders.
SPEAKER_02 (17:07):
Thanks, Jen, and thanks for having me on.
So what laws apply to telehealthwith respect to privacy and
security?
The answer is plenty andseemingly more by the day.
Um so I'll kind of divide it upinto federal and state at the
federal level.
You of course have HIPAA as kindof the 800-pound gorilla in
medical privacy law.
Um, but while I think peopleassume that if you're a
(17:31):
healthcare provider, you'regoverned by HIPAA.
Um, that's not necessarily thecase due to the strange history
of HIPAA.
It actually only applies tohealthcare providers who
electronically transact withcertain administrative
transactions with health plans,which is certainly most
healthcare providers.
But um, you know, you may have adentist, you may have a
(17:54):
psychiatrist who is kind of outof pocket payments only.
And in telehealth, we see a lotof those.
We see a lot of telehealthproviders who are, you know, do
not accept insurance.
It's just, you know,$50 persession or whatever.
Um and so while consumers mayreadily assume that their
(18:15):
telehealth conversations aresubject to HIPAA, that may not
actually be the case.
Um and if anything, I thinkwe're seeing more and more of
this with things like umtelehealth providers that are
focused on prescribing GLP onedrugs or things like that.
You know, I think we continue tosee growth in the non-HIPAA
(18:36):
covered telehealth providerterritory.
Um next up at the federal levelis section five of the FTC Act,
which section five simply statesmore or less that um for-profit
entities may not conductdeceptive or unfair trade
practices.
(18:56):
Um doesn't mention privacy,doesn't mention security, but in
practice, the FTC has taken thatlanguage and said, well, if you
have a privacy policy and you'renot following it.
If you maintain poor security,those are potentially deceptive
and or unfair trade practices.
And so Section 5 has reallybecome the general umbrella, not
(19:20):
specific to healthcare, but ingeneral in the US of privacy and
security law.
So, you know, the FTC has becomeuh essentially the primary
general enforcer of privacy andsecurity in the US.
And um telehealth, to the extentthat a telehealth provider is a
for-profit entity, would besubject to Section 5.
(19:40):
And um, we have certainly seenthe FTC bring enforcement
actions um in healthcare.
And in 2024, in fact, we saw twodifferent enforcement actions
with respect to um telehealthproviders in particular related
to their websites disclosinginformation like uh disclosing
to Third party online trackingplatforms that Adam Green or you
(20:04):
know IP address X, you know, hasa subscription to our telehealth
service or something like that.
Um, so you know don'tunderestimate section five.
And then um we also have 42 CFRPart 2, um, which is a federal
law that governs theconfidentiality of substance use
(20:25):
disorder patient records.
Um, doesn't cover all substanceuse disorder records, it only
covers ones that start that arecreated by certain federally
assisted programs that generallyspeaking hold themselves out as
providing substance use disorderservices.
But a telehealth provider couldcertainly qualify as such if it,
(20:46):
for example, participates inMedicare or has registration to
dispense controlled substances,you know, those would make it
federally assisted.
And if it's potentially holdingitself out as providing
substance use disorder services,um including, you know, as part
of more general mental healthservices, that could bring in 42
(21:08):
CFR Part 2, which has beenaround at this point for over 50
years.
Um, we've actually never seen anenforcement action, to my
knowledge, um, in those 50years.
But February of this year, wehave new changes to 42 CFR Part
2 going into effect, includingHHS being able to apply HIPAA
(21:30):
penalties.
And so kind of the enforcementrisk, I think, is going up
significantly for part two.
So if you're a telehealthprovider and you're involved in
substance use disorder servicesat all, worth taking a close
look at whether part two mayapply to you.
So that's just the federallevel.
Then you've got the state level.
So we have good old-fashionedstate medical privacy laws.
(21:53):
So, you know, examples of thesewould be things like the
California ConfidentialityMedical Information Act or the
Texas Medical Records PrivacyAct.
So I would say, you know, maybehalf the states have general
medical privacy laws.
And these are oftentimesforgotten in the analysis, but
can be more stringent thanHIPAA.
And so if you're a telehealthprovider and you're operating in
(22:17):
one state, you definitely wantto know that state's medical
privacy law.
If you're a telehealth providerand you're operating nationally,
you want to know a hell a wholelot of um state medical privacy
laws and you know what may applywhere.
Um, so you've got those.
You also have state, what I'dcall sensitive condition laws.
So these date back to thingslike HIV test results may have
(22:42):
special protections and requirespecific authorization.
Uh, genetic information may havespecial protections.
Um more recently, though, um,the you know, we've been seeing
the past three or four yearsafter the Dobbs decision, um,
reproductive health care,gender-affirming care, there may
(23:02):
be special protections attachedto those.
So if you're a telehealthprovider and you potentially
have any of information aboutany of these sensitive
conditions, then additionalauthorization requirements, for
example, might apply.
Or even we're starting to seerestrictions on being able to
disclose information out of onestate into another, as there's
(23:24):
kind of a battle between statesof those who permit, for
example, abortion and want toprotect that information versus
those who ban it andpotentially, you know, want to
take uh you know, want to takeaction with respect to when
their residents travel to otherstates.
So on top of that, you also havestate telehealth-specific laws
(23:48):
that may uh come into play.
So a few states will have lawson privacy or security specific
to telehealth.
And then finally, we have thisgrowing number of state consumer
privacy laws, like theCalifornia Consumer Privacy Act,
and all of those exempt PHIthat's subject to HIPAA.
But going back to the start ofthis conversation, if you are a
(24:10):
telehealth provider who's notsubject to HIPAA, you have to
look at whether you could besubject to one of those state
laws.
And that's the laws that are ineffect today.
There's certainly been talk offederal legislation that could
potentially close the gaps whenentities are outside of HIPAA.
And we continue to see eitherchanges to the recently enacted
(24:32):
state consumer privacy laws ormore state consumer privacy
laws.
So, yes, as Sean mentioned, thiswas being recorded January 15th,
might be out of date by January20th.
We'll see, as this is aconstantly evolving area.
SPEAKER_01 (24:48):
There's one other one other thing that I want to
throw out, and Adam, you bringup a good point by by addressing
the consumer protection andconsumer privacy laws, is I
often get this isn't atelehealth-specific law, but I
also often get questions fromtelehealth providers about the
TCPA, Telephone ConsumerProtection Act.
Um, and I'm not necessarily aTCPA lawyer.
I can answer some of thosequestions and some I refer out,
(25:09):
but a lot of telehealthproviders also are maintaining
active relationships with theirpatients, their consumers, or
even with potential consumers byengaging in outreach campaigns
with text messages or automatedphone calls or things like that.
So we do get a lot of questionson TCPA compliance from
telehealth providers as well.
So I just wanted to throw thatout there.
SPEAKER_02 (25:29):
Good point.
And you know, there's a SupremeCourt decision that kind of
limited the application of TCPA,kind of clarifying what
qualifies as automatic telephonedialing systems.
But not all plaintiff's firmshave necessarily gotten the memo
on that.
And so it still continues to bea hot area.
And then, you know, same sort offederal state divide, even if
(25:50):
you're not subject to federalTCPA, we're seeing a growing
number of what are sometimesreferred to as mini TCPA laws in
the states that sometimes havebroader reach than the federal
TCPA.
So, yes, if you're texting, ifyou're doing any autodialing,
mostly texting in this case, youknow, those laws are definitely
good ones to take a close lookat.
SPEAKER_03 (26:13):
You know, it's interesting because I think in
the olden days, which isprobably, I don't know, 10 years
ago or um or or maybe morerecently than that, even before
some all of these state laws uhstarted springing up on uh
privacy and and uh consumerprotection, you know, I think
(26:34):
people took the position thatespecially direct-to-consumer
telehealth providers who werenot subject to HIPAA, they would
say, okay, great, you know, I'lljust be subject to state law,
and HIPAA was the 2,000-poundgorilla that they didn't want to
have to comply with.
Um, but now, because it's thereare so many and they're so
varied, and frankly, some aremore stringent, um, but many
(26:57):
have an exception for HIPAAcovered entities.
We're seeing a lot of um uhclients or telehealth providers
who you know historically wouldhave taken the position or would
have would like to, if theycould pick and choose, say that
they were not um coveredentities.
But now they're asking, can wecan we choose to be a covered
(27:18):
entity even if we aren't?
Because we'd rather, you know,for have HIPAA apply to us and
potentially um preempt some ofthese, some of these state laws
at least, than um you know haveto be subject to all of these
other um potentially movingtargets.
So it's an interesting,interesting place that we're in
right now.
SPEAKER_02 (27:38):
Yeah, that's a really good point.
I would say Washington's MyHealth, My Data Act, and then
the Nevada equivalent, um, thatone arguably the most uh the
most stringent privacy law um inthe country, at least in certain
respects.
Um New York almost took thatcrown recently, but um with its
own New York HIPAA spelleddifferently, just to confuse
(28:00):
things further.
But that did that got vetoed bythe governor.
But yeah, I had this similarexperience where Ebon was doing
everything they could to, youknow, stay out of HIPAA
coverage.
But then when they realized howlimiting My Health, My Data Act
was, um, which does have anexception for PHI governed by
HIPAA, suddenly theyreconsidered that and said, you
(28:22):
know, maybe HIPAA is not so badafter all.
SPEAKER_03 (28:26):
Well, I'm not sure that you can just opt, you know,
that is a question that we keephaving.
Um, you know, can you opt intoHIPAA even if you're not really
a covered entity?
You know, um, and that's I'm notsure anybody really knows the
answer.
I think the federal governmentmight consider you, you know,
enforce HIPAA against you if youchoose to call yourself a
(28:46):
covered entity.
But I'm not sure that thatnecessarily gets you out of the
state law issues.
SPEAKER_02 (28:50):
Yeah, but all it takes is one.
So in the sense that's um oneclaim, right?
Yeah, I I think you knowarguably by definition, you're
not subject to HIPAA if you're ahealthcare provider that doesn't
do any electronic transactionswith health plans, but hey,
submit one healthcare claim to ahealth plan and congratulations,
you're a covered entity, notjust with respect to that
(29:11):
transaction, but that's right.
Yeah, and no one's figured outwhen that ends, frankly.
SPEAKER_03 (29:18):
Yep, we'll see all sorts of people just doing that
for for one.
Um are there some um HIPAA orother privacy issues that you
see that are specific totelehealth and not just to
healthcare providers in general?
SPEAKER_02 (29:34):
So one I see a lot of is kind of the interplay of
corporate practice of medicineand HIPAA's organizational
structures.
So, you know, I think what Ioftentimes see with telehealth
providers is a you know one ormore professional corporations.
Um, and then the the the truetelehealth provider is actually
(29:57):
kind of a management companythat's doing all the
administrative decisions, butyou know, pursuant of the
corporate practice of medicine,then of the clinical decisions.
And so the way that canoftentimes play out is the PCs,
the professional corporations,those are the covered entities,
versus the telehealth provider,which oftentimes the lawyer's
(30:20):
you know client, um, is actuallynot the covered entity, but is
actually a business associate,maybe even both, you know,
depending on the circumstances.
Maybe they're able to practicein some states, but elsewhere
they can't.
And so they act as the businessassociate to separate
professional corporations.
And so, you know, there you wantto kind of, you know, you don't
(30:43):
want to be thinking about itfrom the standpoint of, oh,
we've got you know 10 differentprofessional corporations, which
are 10 completely independentcovered entities.
So one thing that makes senseunder HIPAA is oftentimes to
establish them as what'sreferred to as an affiliated
covered entity, or an ACE forshort, um, where essentially
covered entities who have commonownership, which would generally
(31:07):
not be the case here, or acommon control with a very, very
loose definition under HIPAA ofwhat qualifies as common control
can designate as an affiliatecovered entity as an ace and be
treated more or less as onecovered entity.
And so if you're kind of a, I'dcall it a telehealth ecosystem
with kind of the platformprovider, you know, platform
(31:29):
slash management company and thePCs, um, you don't want to be
thinking about these as, youknow, okay, I've got
professional corporation A'smedical records, which are
completely have to be keptseparate from professional
corporation B's medical records.
So there's a lot of value todesignate as an ace, which the
practical result is you get totreat all of the healthcare
(31:51):
providers as if they'reessentially a single covered
entity.
But then you also have toremember to have that business
associate agreement in place.
Um it's counterintuitive becausethe business associate, the
management company, uh, youknow, they they may be
essentially in charge.
Um, but from the standpoint ofHIPAA, they're lower on the
(32:13):
ladder.
They're the business associateto the professional
corporations, to the coveredentities.
Um, and so sometimes it getsforgotten that you know the one
calling the shots needs to havea business associate agreement
where they're you knowtechnically kind of beholden to
those professional corporationsas the covered entities.
Um that would definitely be oneset of unique issues, I think,
(32:37):
you know, not truly unique, butsomething that I see popping up
in telehealth a lot more thanelsewhere.
Um, and so you know, make sureyou have all your, you know, all
that requires the appropriatedocumentation.
So your ACE designation, yourbusiness associate agreement,
that sort of thing.
SPEAKER_01 (32:54):
And and I see a lot of providers that overlook that,
frankly, is even even you know,large national healthcare
providers that that don't quitegrasp that yes, we actually are
a bunch of separate legalentities, including multiple
professional corporations.
And in many cases, you have tohave multiple professional
corporations because there aresome states like like California
and New Jersey and a few otherstates, depending on the
(33:15):
profession, where you have tohave a domestic professional
corporation in order to provideservices in that state.
So you've got these nationalcompanies with multiple PCs or
PLLCs.
Um, and and really the solutionfor that is just like you said,
uh Adam, is doing an ACEdesignation.
And then what I've also seen issometimes maybe it's a belt and
suspenders approach, but alsodoing an OCA, an organized
(33:36):
healthcare arrangement, which isvery similar to an ACE, but it's
it's slightly different, but itstill allows multiple covered
entities to be able to sharePHI.
Um, and then just like you said,you really want to treat the
entire enterprise, even if it'scomposed of PCs and a management
company.
You kind of want to they want totreat the business as a single
(33:57):
business.
So having that ACE designationor even an ACE and an OCA
designation allows you todevelop sort of a single set of
HIPAA policies, privacypolicies, and security policies
that can apply to the entirebusiness instead of really
having distinct separate HIPAAcompliance programs for every
single legal entity.
SPEAKER_03 (34:14):
Yeah, we've had a lot of a lot of discussion
around that um as well.
Sort of how to how to simplify,and you know, you're right that
it's often true that it's theplatform that is engaging
counsel or that considers itselfthe business.
But of course, that's not howthe money flows either because
of corporate practice ofmedicine.
So it becomes a big, you know,sort of making sure everything
(34:35):
is documented appropriately, andbecause of corporate practice of
medicine, sort of who's doingwhat for who, um, that that's uh
clearly um described um indocuments is important as well.
SPEAKER_02 (34:48):
Yeah.
And then after you've done allthat, make sure you don't have
HIPAA blinders on because um,unless a state specifically says
if it's fine under HIPAA, it'sfine under our state law.
There, I don't think you'll finda single state medical privacy
law that makes reference to anaffiliated covered entity or an
oak or anything like that.
So all those things are kind ofessential for HIPAA, but may
(35:10):
have no bearing whatsoever atthe state law level.
So you have to make sure thatyou're still complying with
state law.
SPEAKER_03 (35:17):
Can be complicated for sure.
Let's talk a little bit aboutsecurity.
Um, are there uh specific thingsthat you would recommend or
specific requirements that youcan think of that are specific
to telehealth?
Obviously, sort of security andprivacy go hand in hand.
SPEAKER_02 (35:33):
Yeah.
So, you know, first of course,there's the security rule in
general.
And so roughly 50 uh differentstandards and implementation
specifications, and you know, uhevery healthcare provider has
challenges meeting you know thesecurity rule, you know, day in,
day out.
So, you know, don't you knowdon't ignore the the generic
(35:56):
stuff um to start off with.
Um and this year we may see thefirst significant changes to the
security rule really since itwas enacted, other than the 2013
change to extend it to businessassociates.
And so, you know, if you're atelehealth provider compliant
with the security rule today,you may not be compliant by the
(36:19):
end of 2026, um, you know, basedon those changes.
Um but then more specific totelehealth, you know, one is
making sure you have a secure,compliant telehealth platform.
So we saw, for example, whentelehealth first started under
COVID, um, OCR you know did anotice of enforcement discretion
(36:41):
essentially stating we're notgoing to enforce if you don't
comply with certain safeguardswith respect to your choice of
telehealth platforms, forexample.
So if it wasn't signing abusiness associate agreement,
that was not necessarily fatal.
That's long gone.
That's years behind us.
So you know, make sure thatyou're not using, you know, kind
(37:03):
of generic consumer grade videoconferencing, but rather you
have an appropriate corporategrade, you know, secure solution
in which the vendor, if they'regoing to have any access to
protected health information, issigned a business associate
agreement.
So that's one area.
Another one, you know, don't bestupid.
(37:24):
Um a little bit of common sensegoes a long way.
Um, so you you would think youwouldn't have to say it, but you
know, don't take telehealthcalls if you're the provider on
a crowded subway, um, or evenlike, you know, in a in your
home in a place where familymembers can hear everything
you're saying.
So, you know, no matter whereyou're working, you have to
(37:47):
treat that as a securehealthcare provider location.
Um, even though, yes, it iseasier than ever to do
telehealth anywhere, you know,to pick up that call while, you
know, at the boarding gate atthe airport or something like
that.
But, you know, be cognizant thatyou you are subject to the
security rule wherever you aretaking that call, essentially.
(38:10):
Um, and then finally, um, youknow, this is not specific to
telehealth providers, but as Imentioned earlier, we've seen a
few enforcement actions in thisarea.
Um, as a telehealth provider,you likely have a website and
rely on it heavily.
Um, understand what informationis flowing from your website,
you know, pixels, you know, overto Google Analytics or whatever.
(38:31):
Um, and that all that iscompliant with HIPAA and
compliant with your privacypolicies, because you know, we
have seen, you know, in 2024under the last administration,
um, the FTC looked at telehealthproviders and others at their
website practices.
We don't know whether under thenew current administration um
(38:53):
the FTC is gonna continue withthat focus.
But um, you know, if even if theFTC doesn't, there are plenty of
class action attorneys who arehappy to look at your website
for you.
And if they see informationflowing, happy to bring
litigation and hope for a quick,nice settlement.
Um, so don't forget about thosewebsite disclosures.
SPEAKER_03 (39:13):
I'm gonna put a plug-in for doing um security
risk assessments as well.
We've certainly seen someenforcement um on clients'
behalf.
And you know, if you ever areinvestigated by OCR, the first
thing that they're gonna ask youfor is your security risk
assessment.
And if you can't provide one,um, they're gonna find that you
(39:34):
know they just consider that abest practice or just not even a
best practice, a requiredpractice for entities in the
healthcare industry.
And so if you don't have one,you're likely to pay some fines
and see some complianceenforcement.
SPEAKER_02 (39:48):
Yep, absolutely.
There's about, you know, as Imentioned earlier, like 50
standards and implementationspecifications, but not all of
them are created equal.
And that risk analysisimplementation specification,
OCR, the Office for.
civil rights at HHS considers itfoundational to your entire
security rule complianceprogram.
And if you look at you know theminority of cases that have gone
(40:12):
to financial settlement or civilmonetary penalties, those that
don't relate to private privacyright of access, you know, I
would say the number two issuetends to be on the security rule
side, lack of a risk analysis.
And through multipleadministrations, they've had
risk analysis listed as theirnumber one priority in
(40:34):
enforcement.
So absolutely, you know, and asa telehealth provider, your
risks are going to be entirelydifferent than the risks facing
a brick and mortar healthcareprovider.
And so your risk analysis shouldreflect those unique set of
risks.
SPEAKER_03 (40:53):
We've uh we've talked a little bit about some
other compliance risks alreadyjust in this conversation like
corporate practice of medicine,things that you have to think
about as a telehealth provider.
Are there other things that weshould um mention here that that
you guys would like to discuss?
There's one one thing that we'veum I know we've all talked about
(41:13):
before was Medicare enrollmentfor a multi-state provider.
Do you guys want to weigh in alittle bit on that?
The issue you know tends to bethat number one, telehealth
providers operate in multiplestates and Medicare still
requires enrollment on a stateby state basis.
(41:34):
And then also the Medicareregulations for enrollment the
requirements for enrollmentrequire you know sort of
practice location informationand operational information and
oftentimes there is no physicalbrick and mortar location for a
telehealth provider.
What do you guys do or recommendin those situations?
SPEAKER_01 (41:58):
You know it's it's really a challenge for for
healthcare providers that areoperating telehealth practices
that are providing services inalmost every state um especially
because they may not have abrick and mortar location and
they certainly if they'retelehealth only provider they
certainly are not seeingpatients in those locations.
But CMS doesn't necessarilyrequire that you have locations
(42:20):
that people that patients cancome in and actually be treated.
These locations just have to beoperational and and they don't
have to be operational 24-7 oranything like that.
But what they really expect isthat you've got an address a
physical address in each statethat the that that address at
that location is operational,whether it be an office location
(42:42):
or even a home location for aphysician if they're providing
services out of their home andthat and that really the the
information that you provideabout that location that it's
accurate.
So that's kind of the key thingsbut the problem is there's you
know Medicare surveyors this israre but they certainly can show
up and and do a survey and ifthey show up and do a survey
they're going to be looking fora lot of other things they're
(43:03):
going to be looking for signageand they're going to be looking
for staff and they're going tobe looking for you know posted
office hours and stuff likethat.
So that can be a challenge forfor telehealth providers but my
advice typically is to try toget an address in each state.
If that needs to be the personaladdress of a physician and then
that can work.
There's been a flexibility overagain it was related to COVID
(43:27):
for providers to be able to notnecessarily have to enroll their
home locations but even if theydidn't enroll their home
locations then they still had tohave a practice location or a
primary practice location stillin that state that they were
reporting the services from.
So best practice is still goingto be to have a practice
location with an address inevery state even if you're not
(43:47):
providing services out of itevery day and even if you can't
see patients in person in thatlocation.
But you need to get an address.
And then and then if if you doneed to use a provider's home
address there is now a anability to mask that if you
report it as an administrativeonly site or a telehealth site
then then that the addressitself for privacy reasons I
(44:11):
believe is masked from thingslike the NPI database or the
provider enrollment record.
So that's not available to thepublic um but it still certainly
is a challenge to to deal withthose with those rules that are
really designed aroundtraditional in-person brick and
mortar locations.
SPEAKER_03 (44:26):
Yeah we had exactly that situation recently um where
an investigator went to the youknow cited physical location
which was some we work space oryou know that that um and that
didn't didn't cut it um andwe've seen the same thing happen
when it's a PO box you know likethat that doesn't work either.
SPEAKER_01 (44:47):
Yeah they want it they want a physical location
I've had some some luck using awe work space or a regis space
or those those types oftemporary you know rented office
locations but you still have tomake sure that it's an
operational space and sometimesyou have to you have to provide
an explanation to the Medicaresurveyor.
Yep with that I think um we'rekind of getting to the end of
(45:11):
our time so um do you guys haveanything else you want to
discuss before we sign off Idon't I don't think nothing
necessarily I think we'vecovered a lot of interesting
issues you know there's a lot ofcompliance issues and that come
along with telehealth just youknow the ones we've spoken about
reimbursement privacy andsecurity corporate practice of
(45:31):
medicine is always a challenge.
And then I guess the other onething that that can be difficult
but certainly you can deal withis establishing provider
relationships remotely.
If you don't already have arelationship with that patient,
the provider does not then eachstate has different standards or
criteria for what you can do tocreate to establish that patient
(45:52):
relationship remotely viatelehealth.
So make sure if you're operatingin a state or a number of
different states that you'reaware of or advising clients
that they are aware that theremay be different standards for
establishing that relationshipin different states.
But otherwise this has been agreat discussion I think we've
covered a lot of topics andhopefully it's been helpful to
everybody.
SPEAKER_03 (46:11):
Thanks you guys so much for participating.
SPEAKER_01 (46:13):
Thank you.
SPEAKER_00 (46:14):
Take care thanks Jen thank you if you enjoyed this
episode be sure to subscribe toAHLA Speaking of Health Law
wherever you get your podcast.
For more information about AHLAand the educational resources
available to the health lawcommunity visit
americanhealthlaw.org and stayupdated on breaking healthcare
(46:38):
industry news from the majormedia outlets with AHLA's health
law daily podcast exclusivelyfor AHLA comprehensive members.
To subscribe and add thisprivate podcast feed to your
podcast apps go toamericanhealthlaw.org slash
daily podcast
Popular Podcasts
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.
iHeartOlympics: The Latest
Listen to the latest news from the 2026 Winter Olympics.
Milan Cortina Winter Olympics
The 2026 Winter Olympics in Milan Cortina are here and have everyone talking. iHeartPodcasts is buzzing with content in honor of the XXV Winter Olympics We’re bringing you episodes from a variety of iHeartPodcast shows to help you keep up with the action. Follow Milan Cortina Winter Olympics so you don’t miss any coverage of the 2026 Winter Olympics, and if you like what you hear, be sure to follow each Podcast in the feed for more great content from iHeartPodcasts.