Law360 (June 15, 2020, 6:00 PM EDT) --
While some providers and payers utilized remote care management and patient monitoring modalities prior to the pandemic, the pandemic has accelerated the adoption of these remote techniques and telehealth platforms.
In the prepandemic shift toward value-based care, care management increasingly became a key tool for providers and payers to manage the care, health care outcomes and cost of care for more complex patients with chronic conditions and comorbidities.
As telehealth technology improves and the economic models and reimbursement structures for care management evolve — driven by necessity during the pandemic — we expect a broader and continued migration of these services to remote, technology-based modalities, not only for those with complex and chronic conditions, but also for the general population.
In this article, we consider the legal implications of this trend and provide practical recommendations for care management programs to facilitate this migration within the bounds of these legal considerations.
Care management, an increasingly important component of the delivery of health care services, is a set of activities designed to assist patients and their caregivers in managing medical conditions more effectively. Generally a multidisciplinary endeavor, care management aims "to achieve an optimal level of wellness and improve coordination of care while providing, cost-effective, non-duplicative services."
Care management programs typically involve "identifying and engaging high-risk individuals, providing a comprehensive assessment, creating an individual care plan, engaging in patient education, monitoring clinical conditions, and coordinating needed services."
Payers and providers may facilitate their own care management programs or may contract with third parties with general care coordination expertise or disease-specific experience to administer these programs. Traditional fee-for-service compensation arrangements generally offer no or little reimbursement for these activities. As result, under these traditional arrangements, providers have historically viewed care managers as an expense, rather than a revenue source, since the cost burden for care management activities falls on providers.
The shift toward value-based payment arrangements, however, has ushered in a need for comprehensive care management programs as provider payments become increasingly tied to cost reductions in care and to the achievement or maintenance of particular health care outcomes. Telehealth technologies, such as live videoconferencing and store-and-forward interactions like patient portals, further enhance the potential to reduce costs and maintain or achieve particular health outcomes.
With the expansion of telehealth during the pandemic, reimbursement opportunities are growing for care management services performed using telehealth technologies. For example, prior to the pandemic, few states required private insurers to cover telehealth care management or to reimburse telehealth care management at the same rate as in-person care management services.
The pandemic, however, has compelled a number of states (e.g., Massachusetts and Illinois) to mandate that the reimbursement for telehealth services (including care management) be paid at the same rate paid as for in-person services, at least for the duration of those states' declared public health emergencies.
As the use of telehealth care management continues during the pandemic and after, there are some key legal and practical considerations that care management programs should address as they expand their use of telehealth technology.
Among others, the key considerations include: (1) compliance with health information privacy and security laws, including the Health Insurance Portability and Accountability Act (inclusive of amendments and implementing regulations); (2) limitations in licensure contracts and terms of service for the technology platforms; (3) professional scope of practice and use of licensed care managers; and (4) reimbursement.
Health Information Privacy and Security
Telehealth platforms must comply with applicable health information privacy and security laws. When utilized by health care providers and health plans, these platforms come within the providers' and plans' health information privacy and security obligations, including those imposed on providers and payers as covered entities under HIPAA.
When contracted care managers utilize telehealth platforms to assist health care providers and health plans with patient care management and care coordination, those care managers are doing so as business associates (i.e., as persons or entities that perform certain functions for and on behalf of covered entities and require protected health information, or PHI, from the covered entity to perform such functions).
Telehealth platform vendors may themselves be business associates to covered entities (or subcontractor business associates to contracted care managers) when those vendors' software is utilized to exchange or process PHI for patient care or care management communications. In both aforementioned arrangements, the telehealth platform must be HIPAA compliant. This means that (1) the technology must comply with the HIPAA Security Rule, (2) the vendor must have in place an applicable HIPAA compliance policy, and (3) the care manager must have in place appropriate business associate agreements.
During the pandemic, the U.S. Department of Health and Human Services' Office for Civil Rights issued a notification of enforcement discretion providing that the OCR will not impose penalties against health care providers for noncompliance with the regulatory requirements under HIPAA in connection with health care providers' use of telehealth in good faith during the COVID-19 nationwide public health emergency.
Notably, the OCR's enforcement discretion is narrow and applies only to health care provider covered entities, and not to health plans or business associates (including third-party care management organizations) that may also be utilizing these telehealth platforms.
Consequently, third-party care management organizations that are utilizing permitted telehealth platforms are presently not relieved of their HIPAA compliance obligations, so such technology, and the care managers use, must be HIPAA-compliant. The care manager must also have in place a business associate agreement (or subcontractor business associate agreement) with the technology company.
Once the declared public health emergency ends, the OCR's enforcement discretion will similarly terminate. While health care providers may persist under the current regulatory flexibility, they should remain attuned to the end of the public health emergency and be prepared to ensure HIPAA compliance at that time.
Additionally, all users of these telehealth platforms should be aware of applicable state data protection laws that may be more restrictive than HIPAA (e.g., California's Consumer Privacy Act and New York's SHIELD Act). Security flaws in some of the commonly used telehealth platforms have recently become well publicized, and enforcement agencies (including the New York state attorney general) have already begun to investigate and take action requiring such platforms to comply with applicable data security laws.
While the OCR's enforcement discretion will terminate, some enforcement discretion flexibilities (e.g., the use of nonpublic-facing remote video communication platforms) may remain in place in some form. HIPAA currently does not contain any telehealth-specific rules, and there is great pressure to retain these flexibilities as providers and consumers have become acclimated to the value and importance of telehealth in increasing access to much needed care.
Certain business challenges will continue to exist in this increasing shift to telehealth platforms. Due to the size and sophistication of their business operations and technology infrastructure, major technology companies are unlikely to negotiate terms of their form business associate agreements, which may include additional terms that are not required under HIPAA (often relating to liability for mishandling PHI and indemnification).
Care managers should carefully examine these subcontractor business associate agreements to ensure they comport with the underlying business associate agreements they entered into with their health care provider and health plan customers.
Contract Term Limitations
Telehealth technology platforms generally require a software license and impose terms and conditions on their users. Care managers should review these software license terms and conditions in light of expected use of the platform. Many software licenses control the scope and price of the platform license based on the number of authorized users.
A fixed per-user license allows a fixed number of users to install and use the software on their computers. On the other hand, a floating concurrent-user license permits an unlimited number of users to install the software on their computers but limits the number of users of the software at any time.
As patient needs evolve, especially for those with chronic conditions, care managers should consider how their telehealth platform would affect the care management team's ability to expand the number of authorized users or, if applicable, share their platform with partner health care providers. If sharing a telehealth platform with partner health care providers, care managers may also need to consider anti-kickback risk if the health care provider is using the platform to perform a billable patient care service.
In such cases, the health care provider's use of the platform should be restricted to the provision of patient care services that are part of or integral to the applicable care management plan, and the providers must be restricted from generally using the platform to provide unrelated patient care or care to patients that are not subject to a care management plan administered by the care manager. Even still, such arrangements should be given due scrutiny.
Scope of Practice/Use of Licensed Providers
Care management programs should also beware of how they employ or arrange for the professional activities of professional licensed staff, particularly if such programs involve the delivery of services by professionally licensed individuals, such as registered nurses or advanced practice nurses.
Many states have a long-standing and regularly enforced prohibition on the corporate practice of professions, which restricts any "business relationship that could place constraints upon professional judgement, unduly limit professional practice, invade the professional integrity of the professional or permit the business corporation to make professional decisions."
As a result, professional services can only be offered by individuals licensed in the applicable healing arts, such as physicians or nurses, or by authorized professional organizations or pursuant to qualified exemptions.
Depending on applicable state licensing laws, professional licensure laws may narrowly or broadly define the practice of certain professions. For example, New York's Nurse Practice Act broadly describes the practice of nursing as "diagnosing and treating human responses to actual or potential health problems through such services as case-finding, health teaching, health counseling, and provision of care supportive to or restorative of life and well-being, and executing medical regimens prescribed by a licensed [health care provider.]"
In these corporate practice states, unlicensed entities, such as care management service companies, must comport their business practices to these laws, including, if applicable, forming appropriate professional organizations or limiting the scope of practice of any licensed professionals who are employed.
Because telehealth affords the provision of services across state lines, care managers expanding beyond their initial state of operation should perform a state-by-state analysis to ensure their business structure comports with applicable state laws.
While at least 49 states have temporarily relaxed licensure requirements for out-of-state health care professionals in connection with the provision of telehealth services amid the pandemic, these waivers are expected to be short-term and will require significant political will to become permanent. Providers, therefore, should not bank on continued regulatory flexibility once the pandemic subsides.
Reimbursement policies around telehealth care management have been evolving. Prior to the COVID-19 pandemic, care management was included among Medicaid covered services provided via telehealth. Since 2015, Medicare has covered chronic care management, or CCM, services, which are generally nonface services provided to Medicare beneficiaries who have two or more chronic conditions.
While CCM services use telehealth technologies, these services are not included in Medicare's definition of "telehealth," and thus were never subject to the pre-COVID-19 telehealth limitations (e.g., geographic restrictions). However, pre-COVID-19 CCM billing codes did have other restrictions, such as time limits, which resulted in low participation levels from providers.
Recent changes by Medicare (unrelated to the pandemic), including the addition of new codes to bill for chronic care management services in 2020, expanded billing opportunities for care management and signal long-term support for the utilization of telehealth for care management.
The expansion of telehealth services and reimbursement has created momentum that will likely result in political pressure to liberalize regulations that have historically limited access to telehealth services, as patients and providers recognize the utility of telehealth during the pandemic. These enhanced flexibilities, however, will likely increase government scrutiny for potential fraud and abuse.
Care managers should be vigilant with respect to documentation requirements for billing for telehealth services. For example, for CCM services, a billing practitioner cannot report both complex and noncomplex CCM for a given patient in a given calendar month. CCM services by clinical staff (including those working under contract to the billing provider) cannot be reported in the same calendar month as those provided by the provider.
CCM services provided by clinical staff must be under the direction of the billing provider on an "incident to" basis (as an integral part of the provider's services), subject to applicable state law, licensure and scope of practice. Additionally, some services may not be billed concurrently with behavioral health integration services or monthly capitated end-stage renal disease payments.
Practical Considerations for Care Managers
We expect the trend toward use of telehealth platforms to persist after the pandemic. As providers reel from unexpected heavy losses incurred during the pandemic, care management organizations increasingly shifting to telehealth platforms can position themselves as valuable revenue sources and partners in the delivery of much needed care. Before taking the plunge into telehealth, care management organizations should take care to:
1. Select a technology vendor with a strong HIPAA compliance background and, if applicable, negotiate nonstandard provisions in a subcontractor business associate agreement to ensure obligations comport with business associate agreements executed with covered entities.
2. Negotiate for a software license that will give the best flexibility to expand the care management team and share the platform with providers in response to patient needs. As necessary, mitigate against potential anti-kickback law enforcement risks.
3. Where required by state law, form professional entities that are capable of employing or arranging for the professional activities of professionally licensed care management team members to reduce enforcement risk in states that generally prohibit the corporate practice of professional services.
4. Closely examine coding and billing practices against payer policies to mitigate revenue cycle compliance risks.
While the future of the COVID-19 pandemic is unpredictable, one fact that remains constant is the treatment of chronic health conditions is very costly — approximately 90% of all health care spending in the U.S. goes to the treatment of chronic illness.
Management of these illnesses is key to reducing the burden on the U.S. health care infrastructure. With the right business and legal structures in place, care management organizations shifting to telehealth can continue to help health care providers and health care plans provide quality care during the pandemic and beyond.
Sarah F. Blumenthal and Richard A. Harris II are associates at Ropes & Gray LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 Center for Health Care Strategies, Inc., "Care Management Definition and Framework" (2017), https://www.chcs.org/media/Care_Management_Framework.pdf.
 National Association of Community Health Centers, "Value Transformation Framework Action Guide" (July 2019), http://www.nachc.org/wp-content/uploads/2019/03/Care-Management-Action-Guide-Mar-2019.pdf.
 Alan Snell, "The Role of Remote Care Management In Population Health," Health Affairs (April 4, 2014), https://www.healthaffairs.org/do/10.1377/hblog20140404.038196/full/.
 See e.g., Massachusetts, "Order Expanding Access To Telehealth Services And To Protect Health Care Providers" (March 15, 2020), https://www.mass.gov/doc/march-15-2020-telehealth-order/download; Illinois "Executive Order to Expand Telehealth Services and Protect Health Care Providers in Response to COVID-19," (March 19, 2020), https://www2.illinois.gov/Pages/Executive-Orders/ExecutiveOrder2020-09.aspx.
 See 45 CFR § 160.103.
 Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (March 17, 2020), https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
 Ryan Tariinelli, "Zoom Agrees to Security Measures After NY Attorney General Investigation," New York Law Journal (May 8, 2020), https://www.law.com/newyorklawjournal/2020/05/08/zoom-agrees-to-security-measures-after-ny-attorney-general-investigation/.
 See e.g., OCR, FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (March 20, 2020) (OCR favorably observes that these platforms typically employ end-to-end encryption; support individual user accounts, logins, and passcodes to help limit access and verify participants; and allow participants to assert some degree of control over particular video/audio capabilities), https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
 N.Y. Education Department, Office of Professions, Report to Board of Regents: Corporate Practice of the Professions (1998) (rev. Aug. 25, 2010), available at: http://www.op.nysed.gov/corp/corppractice.htm; see also 225 Ill. Comp. Stat. Ann. 65/50-15 (No person shall: (1) Practice as an advanced practice nurse without a valid license as an advanced practice nurse, except as provided in Section 50-15 of this Act . . . (b) Any person, including a firm, association or corporation who violates any provision of this Section shall be guilty of a Class A misdemeanor."); Neill v. Gimbel Bros., Inc., 199 A. 178, 219 (Pa. 1938) ("[A] licensed practitioner of a profession may not lawfully practice his profession among the public as the servant of an unlicensed person or a corporation; if he does so, the unlicensed person or corporation employing him is guilty of practicing that profession without a license.").
 N.Y. State Education Law, Article 139, http://www.op.nysed.gov/prof/nurse/article139.htm.
 See Federation of State Medical Boards, "U.S. States and Territories Modifying Requirements for Telehealth in Response to COVID-19" (as of May 26, 2020), https://www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf ; see e.g., State of California, Proclamation of a State of Emergency (March 4, 2020), https://www.gov.ca.gov/wp-content/uploads/2020/03/3.4.20-Coronavirus-SOE-Proclamation.pdf.
 Center for Connected Health Policy, "State Telehealth Laws and Reimbursement Policies" (Spring 2020), https://www.cchpca.org/sites/default/files/2020-05/CCHP_%2050_STATE_REPORT_SPRING_2020_FINAL.pdf.
 Medicare Learning Network ("MLN"), "Chronic Care Management Services" (July 2019), p. 3, https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/downloads/chroniccaremanagement.pdf.
 Center for Connected Health Policy, "Telehealth and Medicare," https://www.cchpca.org/telehealth-policy/telehealth-and-medicare.
 Alexis Edwards, "Chronic Care Codes Offer Greater Flexibility and Payment in 2020" (April 2, 2020), https://www.medicaleconomics.com/news/chronic-care-codes-offer-greater-flexibility-and-payment-2020.
 Revisions to Payment Policies under the Medicare Physician Fee Schedule, Quality Payment Program and Other Revisions to Part B for CY 2020, https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/PhysicianFeeSched/PFS-Federal-Regulation-Notices-Items/CMS-1715-F.
 Medicare Learning Network, "Chronic Care Management Services" (July 2019), https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/downloads/chroniccaremanagement.pdf.
 Centers for Disease Control and Prevention, "Health and Economic Costs of Chronic Diseases" (as of March 23, 2020), https://www.cdc.gov/chronicdisease/about/costs/index.htm.
For a reprint of this article, please contact email@example.com.