The transportation landscape in America has evolved and these developments are now impacting health care. With about 75 percent of the U.S. population living in a county with access to an on-demand ride-hailing service, many patients are turning to ride-share services, like Uber and Lyft, as a means to obtain their medical care.

The idea of partnering ride-sharing and health care is not new. Over the past few years, ride-sharing companies have been edging their way into the health care realm. Both Uber and Lyft have been testing pilot programs involving nonemergency medical transportation (NEMT) and other non-traditional health care transportation models with major providers, institutions, insurers, and transportation brokers nationwide. Until recently, most of these programs have been limited in scope to specific health care facilities, by service (e.g., concierge services that ferry flu shots to people, or enabling users to request a doctor to provide on-demand diabetes and thyroid tests) and by patient population (e.g., Medicare Advantage, Medicaid, and limited commercial payors).

Recognizing the need for accessible and cost-efficient health care transportation is not unique to Uber and Lyft. A number of revolutionary NEMT companies have emerged in various markets to supplement traditional health care transportation options and the “Big Two” ride-share companies have partnered with many of these outside vendors to enhance an established and (presumably) compliant service offering in specific markets. Certain NEMT companies, like Veyo, American Medical Response, and Circulation, have made their own name in the NEMT space. Interestingly, both Uber (in 2016) and Lyft (in 2017) announced partnerships with Circulation, utilizing Circulation’s customizable NEMT platform to integrate with each ride-sharing companies’ application program interfaces (API) and connecting with the interfaces of the health care systems’ they service.

With these numerous initiatives, it was unsurprising this year when the Big Two made their entrance into the entire health care market official. By expanding beyond outsourced NEMT ridesharing services to predetermined health care facilities, both Uber and Lyft have launched their own platforms to allow all health care providers to schedule rides for their patients.

In March, Uber introduced and launched “Uber Health,” a distinct application from the traditional Uber app, which provides a digital portal allowing health care organizations to book rides for a patient or caregiver who need help getting to and from medical appointments. Through Uber Health, unlike traditional NEMT services (where government and certain commercial payors may reimburse the transportation company for the rides), Uber bills the health care providers who sign up for Uber health monthly based on the cost of their patients’ rides, which are on par with standard Uber rates at the time of the ride booking.

On the other hand, in 2016 Lyft first introduced a service called “Concierge,” which similarly allows health care providers to set up rides for patients to get to appointments; however, also in March of this year, Allscripts and Lyft announced their partnership to incorporate the Concierge patient transportation interface directly into Allscripts Sunrise EHR so that when a patient’s transportation needs are noted in his or her medical record, a Lyft is automatically scheduled for that patient. Similar to Uber Health, under Lyft’s Concierge service, the providers pay for the rides.

This shift in health care transportation was inevitable and providers are now able to leverage the convenience of these ubiquitous apps to ensure better experience and care for their patients; however, caution should be taken to ensure that these patient rideshares are done in a legally compliant way.

Primarily, these ride-share services raise concerns under fraud and abuse regulations. Because health care providers coordinate patient transportation through the applications, providers need to be careful about offering free or discounted rides to patients which could trigger the federal anti-kickback law. Providers who treat state and federal program beneficiaries will need to ensure that the method of delivery adheres (or as closely as possible) to the Office of Inspector General’s (OIG) safe harbor regulations applicable to free or discounted local transportation. As outlined in a prior post on this Blog, in 2016 the OIG announced a safe harbor that protects a health care provider or other eligible entity (i.e., any individual or entity, except those who primarily supply health care items) from Anti-Kickback Statute (AKS) and Civil Monetary Penalty (CMP) penalties if it provides free or discounted local transportation to Medicare patients and other federal health care program beneficiaries, so long as all of a number of conditions are met. These conditions require, among other things, that there be a written policy in place which restricts how transportation services are used and advertised, and that the transportation be available only to “established patients.” Therefore, if a health care provider attempts to advertise the availability of free rides as an inducement to grow its patient base, it could quickly find themselves paying fines, including treble damages.

Additionally, many states have their own kickback prohibitions, potentially placing limitations or restrictions on the utilization of ride-share platforms for professional services. If no government beneficiaries are seen by a provider, the provider can ultimately decide whether to pay for the service or pass some or all of the cost on to their patients. Therefore, a state-by-state analysis should be performed to assess appropriate practices prior to offering ride-share services to patients. These payment and kickback concerns will continue to develop as private insurers assess reimbursement eligibility for ride share services.

One population that has been left out of the trend to partner ride-sharing with providers are those in wheelchairs or who need transportation accommodations due to a disability. Uber, was recently sued by a San Francisco-based advocacy group for not providing wheelchair-accessible transportation, and the company is now piloting such vehicles in several cities. To the extent a health care practice is “participating” in a ride-share platform, any acts of non-compliance by the ride-share company, depending on the terms of the arrangement (or lack thereof), could potentially flow to the provider, as the ride-share companies, acknowledging their status as Business Associates, are ultimately performing the services on behalf of the provider.

This Business Associate recognition prompts the overarching patient privacy concerns inherent in the ride-sharing services. Since ride-sharing companies (and their drivers) will have access to individually identifiable and/or protected health information, providers must have appropriate Business Associate Agreements (BAAs) in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). Both Uber and Lyft have touted their proactive and preemptive compliance with HIPAA and publicized engagements of third-party HIPAA compliance companies to ensure development, implementation, and customization of the necessary safeguards for data security in the distinct APIs for their new platforms.

Uber asserts that Uber Health drivers won’t know which of their passengers are using Uber Health. Like a typical Uber ride, only a passenger’s name, pickup and drop-off addresses will be given to the Uber Health driver and Uber drivers are not able to opt into or out of the health service the same way that they can with Uber Eats, an affiliated food delivery service. Therefore, on a trip to a hospital or medical practice, a driver won’t know whether a rider is traveling to the health care facility using the traditional Uber app—to commute to work, for example—or is meeting a doctor through the health care platform.

The logic (or belief) is that although the ride-share companies are Business Associates, the companies’ drivers are not given any medical information and are not even informed that a ride is under the health care platform; therefore, the drivers are not Business Associates (or “subcontractors” under HIPAA). This concept has seemingly satisfied the outsourced risk and compliance assessments; however, the government has yet to opine as to whether individually identifiable health information (not just “medical information”) is truly kept private under HIPAA’s somewhat ambiguous standard of requiring only a “reasonable basis to believe the information can be used to identify the individual.”[42 CFR 160.103 (Individually identifiable health information)]

Additionally, to address obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, Uber is storing data from Uber Health in separate servers, meaning that only select Uber employees and the health care providers have access to patient data. Furthermore, Uber is housing everything itself and is not sharing Uber Health data with anyone downstream in its supply chain, thereby eliminating obligations to manage the transfer of data or implementing third-party vendor risk management programs. Accordingly, a breach in Uber’s servers presumably should not compromise Uber Health’s data.

Despite these safeguards and demonstrated HIPAA-compliance, risks still remain (e.g., potential data breaches). Not that long ago, Uber was hit by a cyberattack exposing the personal information of 57 million riders and drivers, and the company’s delayed public notification of the incident was disconcerting to many. Providers, as Covered Entities, participating in these ride-share platforms risk potential imposition of stiff penalties for data breaches, increasing the importance of entering into a well-drafted BAA with the ride-share company.

Uber has stated they are “pleased to sign BAAs with all participating healthcare organizations” and the Uber Health’s Dashboard Terms and Conditions provide that the “Terms shall automatically terminate upon the termination of the Business Associate Agreement that the parties separately entered into…” This acknowledgement is the first step, but it is unclear as to whether Uber has their own form BAA or will accept a provider’s form/terms for each individual relationship.

The incorporation of ride-sharing transportation into the delivery of health care services can provide benefits to both providers and their patients; however, the array of health care regulatory issues should be evaluated and assessed before signing up for such programs. If you or your practice have any questions or are interested in offering a patient ride-share program, please contact Michael Bassett at mbassett@foxrothschild.com or 215.444.7191, or any member of Fox Rothschild’s Health Law Group.

 

Last month, CMS Administrator Seema Verma announced several initiatives to innovate the delivery of patient care at the ground level.  In collaboration with the Trump Administration and other federal agencies, CMS is taking steps to implement a system in which patients have control of their electronic health information and can easily transfer it between health care providers.  This system, referred to as “MyHealthEData,” is also intended to allow both physician and patient to access the clinical and payment data required to make the best healthcare decisions at the point of care.

Doctor using tablet to view electronic medical recordAs announced, CMS’s short-term efforts in connection with the MyHealthEData initiative include:

  • Launching Medicare’s Blue Button 2.0, which will allow a patient to access and share his/her healthcare information and medical history with a new physician, leading to less duplication in testing and enabling continuity of care.
  • Requiring providers to update their systems to improve data sharing.
  • Requiring hospitals to share specific types of data with a patient’s receiving facility or post-acute care provider following discharge.
  • Streamlining documentation and billing requirements for E&M codes to allow doctors to spend more time with their patients.
  • Reducing the incidence of unnecessary and duplicative testing that occurs as a result of providers not sharing data.

CMS is also taking steps to overhaul the EHR incentive programs (including the Advancing Care Information category of the Merit-based Incentive Payment System (MIPS) and the EHR Incentive Programs for Hospitals) to prioritize interoperability of EHR systems, reduce the time and costs required to comply, and prevent providers from withholding healthcare data from patients.

For more information on the MIPS and the Quality Payment Program, please see our prior post here and CMS’s interactive website on the Quality Payment Program here.

For more information on the MyHealthEData Initiative, please see CMS’s published Fact Sheet.  Stay tuned to Fox Rothschild’s Physician Law Blog for updates.

On Fox’s In the Weeds blog, associate Richard Holzworth discussed the influx of patients registering for the Pennsylvania Medical Marijuana Program, and provided an overview of key policy and procedure updates that PA’s healthcare facilities, including hospitals and long-term care providers, should adopt:

Illustration of Rod of Asclepius on marijuana leafDespite Pennsylvania’s medical marijuana industry being in its infancy, more than 17,000 patients have registered for the program, and more than 4,000 already have received their medical marijuana card from the Department of Health. Now that cannabis products have burst onto the scene, hospitals and other residential healthcare facilities are struggling with what to do when patients present medical marijuana cards and attempt to use marijuana in the facilities. Indeed, it is high time for the healthcare providers to update their policies and procedures to address these growing concerns.

Policy Considerations

In developing a medical marijuana policy, it is important for healthcare administrators to remember that medical marijuana, although legal in most states, is still classified by the federal government as a Schedule I Controlled Substance. With medical marijuana laws varying from state to state, hospitals, healthcare associations, and other stakeholders have developed and implemented a wide range of policies addressing the use and possession of medical marijuana products. These policies range from strict, categorical prohibitions to sanctioned self-therapy during hospital admission. Regardless of a healthcare facility’s philosophy (either from a political or medicinal perspective) on medical marijuana, it is important for each institution to develop and implement a comprehensive set of policies and procedures to address the inevitable circumstance of a patient presenting with a medical marijuana ID card or cannabis products in hand.

Due to the large volume of patient registrants to the Commonwealth’s medical marijuana program, PA physicians and their staff may see local healthcare facilities make changes to their policies and procedures with respect to medical marijuana in the coming months.

We invite you to read Richard’s full informative piece and stay tuned for our coverage of further developments.

Kristen Marotta writes:

Recently on Fox’s HIPAA & Health Information Technology blog, we discussed the privacy and security issues arising from the growth of telemedicine, as well as the general benefits that such growth could have for recent medical graduates. Now, with more funding and attention being given to telemedicine, new physicians will have the opportunity to make a difference in rural health care and move the industry into an entirely new direction.

The New York City skyline, including the Empire State BuildingIn New York, recent funding has been made available through the New York Office of Mental Health (OMH) to expand the use of telemedicine in the treatment of mental health patients. This new funding stream for “telepsychiatry” provides a new avenue for the practice of psychiatry in New York and provides a unique consideration for New York physicians considering the practice of psychiatry for their long-term career.

Psychiatrists or physicians considering the practice of psychiatry should familiarize themselves with the OMH’s regulations on telepsychiatry services set forth in Title 14 of the New York Code, Rules and Regulations (NYCRR), including Part 596, which recently expanded the ability of physicians to practice telepsychiatry outside of outpatient clinic settings, including between OMH-licensed sites and provider sites enrolled in New York State Medicaid. A summary of the current regulations, as well as additional guidance on telepsychiatry in New York, can be found on the OMH website. In particular, we note a comprehensive checklist and guidance published by the OMH in early 2017 regarding provider responsibilities in practicing telepsychiatry.  We also note that privacy and security concerns are discussed in this checklist. Providers rendering telepsychiatry services must comply with all federal HIPAA laws and regulations, in addition to New York’s Mental Hygiene Law Section 33.13.

Due to the nature of telepsychiatry (or any type of telemedicine), it is important for providers to remember that there are two physical locations where protected health information of patients is potentially used and disclosed. For telepsychiatry in New York, the policies and procedures at the distant site must match those of the originating site exactly. In addition, both sites must meet “the minimum standards for privacy expected for patient-clinical interaction at a single Office of Mental Health licensed location.” [14 NYCRR 596.6(b)(2)(ii)]. For confidentiality purposes, when physicians practice telemedicine of any type, they should abide by the same rules as they would for written clinical medical records.

In addition to the highly technical components discussed in the OMH’s guidance, providers will also need to substantively update their policies and procedures. Two examples that providers should note are as follows. First, written protocols and procedures relating to telepsychiatry should be developed and followed. These policies and procedures should include a special provision for obtaining a patient’s informed consent before recording telepsychiatry sessions. Second, staff trainings must include the topic of telepsychiatry and technical training of telepsychiatry equipment. Staff will also need to be “immediately available” to attend to emergencies and other concerns during the patient’s actual telepsychiatry session. [14 NYCRR 596.6(b)(7)(iii).]

Stay tuned to Fox Rothschild’s Physician Law blog for updates on how developments in the practice of telemedicine in New York and other states affect physicians.


Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

On the firm’s HIPAA & Health Information Technology blog, associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Kristen examines the myriad considerations doctors should address in setting up a telemedicine model for their practices, and notes federal funding recently made available via New York State’s Office of Mental Health to expand the use of mental health-focused telemedicine in the state.

We invite you to read Kristen’s piece, and stay tuned for an upcoming post on this blog delving into New York’s regulations surrounding telepsychiatry.

Last month, Apple issued a long awaited announcement of their move into the medical records field, by debuting new functions in the updated Health app for the iOS 11.3 beta, allowing users to view and aggregate their medical records on their iPhones.

The new “Health Records” features within the Health app brings together hospitals, clinics and the existing Health app to make it easy for consumers to see their available medical data from multiple providers whenever they choose. Now, consumers will have medical information from various institutions organized into one view covering allergies, conditions, immunizations, lab results, medications, procedures and vitals, and will receive notifications when their data is updated. The Health Records data is encrypted and protected with the user’s iPhone passcode.

To launch the beta version that features the new “Health Records” section, Apple partnered with 12 major health systems[1] and leading EHR vendors Cerner and Epic, using Fast Healthcare Interoperability Resources (FHIR) to facilitate the transfer of medical records. In the coming months, more medical facilities will connect to Health Records offering their patients access to this feature.

The goal is for consumers to have their medical information from various institutions organized into one view covering allergies, conditions, immunizations, lab results, medications, procedures and vitals. It all works when a user opens the iPhone’s health app, navigates to the Health Record section, and, on the new tool, adds a health provider. From there, the user is connected to Apple’s software system to obtain their records and even incorporate new data. Patients will also receive notifications when new information is added to their record.

Regulators and patient advocates have for years pushed for data-sharing standards within the medical sector to make it easier for records to flow between hospitals and doctors’ offices. The lack of interoperability has led to inefficiencies in care and frustrations from both providers and consumers. This move by Apple could effectively pressure EHR vendors to open up access to patients’ digital records and truly force EHR vendors to provide access to their data through open application programming interfaces (API) as mandated by the 21st Century Cures Act.

 

[1] The following participating hospitals and clinics are among the first to make this beta feature available to their patients:

  1. Johns Hopkins Medicine – Baltimore, Maryland
  2. Cedars-Sinai – Los Angeles, California
  3. Penn Medicine – Philadelphia, Pennsylvania
  4. Geisinger Health System – Danville, Pennsylvania
  5. UC San Diego Health – San Diego, California
  6. UNC Health Care – Chapel Hill, North Carolina
  7. Rush University Medical Center – Chicago, Illinois
  8. Dignity Health – Arizona, California and Nevada
  9. Ochsner Health System – Jefferson Parish, Louisiana
  10. MedStar Health – Washington, D.C., Maryland and Virginia
  11. OhioHealth – Columbus, Ohio
  12. Cerner Healthe Clinic – Kansas City, Missouri

This piece originally appeared in the February 2018 issue of the Allegheny County Medical Society Bulletin.

Richard L. Holzworth writes:

In April 2016, Gov. Tom Wolf signed into law Pennsylvania’s compassionate medical cannabis legislation (Act 16), effectively legalizing medical marijuana in the Commonwealth. Since that time, the Pennsylvania Department of Health (DOH) has awarded 12 licenses to grow medical marijuana and 27 licenses to operate medical marijuana dispensaries. It is anticipated that the grow operations and dispensaries will be open for business in early 2018. Although the proponents of medical marijuana have enjoyed widespread support (as evidenced by the 29 states that have enacted a medical marijuana law, including six since 2016), those in the industry are left to trust that Pennsylvania physicians will register with the DOH and send patients to the dispensaries. In other words, now that the legal medical marijuana system is in place, the onus is on physicians to ensure that patients have access to treatment.

Patient and physician registration

It is important for medical professionals to understand that they are not permitted to “prescribe” medical cannabis products. Rather, physicians who have met the registration requirements of Act 16 are permitted to issue “certifications” to patients who qualify for medical marijuana treatment.

In order for a patient to qualify for medical marijuana treatment, the patient must obtain a certification from a registered physician stating that the patient suffers from one of the 17 “serious medical conditions” identified in Act 16. These conditions include:

  • Amyotrophic Lateral Sclerosis;
  • Autism;
  • Cancer;
  • Crohn’s Disease;
  • Damage to the nervous tissue of the spinal cord with objective neurological indication of intractable spasticity;
  • Epilepsy;
  • Glaucoma;
  • HIV/AIDS;
  • Huntington’s Disease;
  • Inflammatory Bowel Disease;
  • Intractable Seizures;
  • Multiple Sclerosis;
  • Neuropathies;
  • Parkinson’s Disease;
  • Post-Traumatic Stress Disorder;
  • Severe chronic or intractable pain of neuropathic origin or severe chronic or intractable pain in which conventional therapeutic intervention and opiate therapy is contraindicated or ineffective; and
  • Sickle Cell Anemia.

Once a patient obtains a certification, then the patient must apply for a medical marijuana ID card through DOH. If the application is accepted, the patient (or a qualified, registered caregiver) may take the medical marijuana ID card to a state-licensed dispensary to obtain marijuana products.

In order for physicians to issue medical marijuana “certifications,” they must register with the DOH and complete a four-hour training course offered by DOH-approved providers. The DOH training course covers the following areas:

  • Summary of Act 16;
  • General information about medical marijuana under state and federal law;
  • Scientific research on medical marijuana;
  • Recommendations for medical marijuana, including pain management, risk management, palliative care, misuse of opioids and medical marijuana, and informed consent.

Physicians also are required to be licensed to practice medicine in Pennsylvania and be qualified, by training or experience, to treat at least one of the 17 serious medical conditions.

Once registered, the DOH will place the physician’s name, business address and medical credentials on the physician medical marijuana registry. The registry does not include contact information (telephone numbers or email addresses).

Importantly, registered physicians are not permitted to advertise that they are credentialed to certify patients for medical marijuana use. The DOH regulations have not provided much guidance in the way of what constitutes “advertising” or what is actually permitted, including whether physicians may list medical cannabis certification on their “menu” of services.

Continue Reading A Physician’s Guide to Navigating Medical Marijuana Registration

Earlier this month, Attorney General Jeff Sessions issued a Memorandum rescinding the Obama Administration’s “hands off” policy with respect to the prosecution of licensed cannabis distribution in states where medical or recreational marijuana are legalized.  Our sister blog, “In the Weeds” has covered the issuance of this new Memorandum extensively, including how it may affect state medical marijuana programs around the country.

Medical marijuana in jar lying on prescription form
Copyright: megaflopp / 123RF Stock Photo

So far, U.S. Attorneys in many of the states that have legalized medical marijuana (including Pennsylvania) have made public statements to the effect that they are not interested in prosecuting violations of federal law with respect to cannabis, especially if the activity involved is in compliance with state law.

  • For more information on the Sessions Memorandum, please see this post.
  • For more information on the responses to the Memorandum from U.S. Attorneys (including the U.S. Attorney for Pennsylvania’s Middle District), please see this post.
  • For Pennsylvania physicians, it appears that the medical marijuana program continues to be on track for implementation on April 1, 2018.  Pennsylvania Gov. Wolf issued a statement in response to the Sessions Memorandum confirming that he would seek legal action against the federal government to the extent that the federal government interferes with Pennsylvania’s medical marijuana program.  [See Governor Wolf’s statement].

Stay tuned to Fox Rothschild’s Physician Law Blog for updates on how the Sessions Memorandum will affect state medical marijuana programs.

Fox Rothschild’s HIPAA & Heath Information Technology Blog recently published two posts directly relevant to physicians and medical practices.  The first post, 5 Common HIPAA Mistakes to Avoid in 2018, addresses some typical misconceptions regarding disclosure of protected health information (PHI) and offers some ideas regarding how to avoid them.

The second post, New HIPAA Guidance on Disclosure of PHI related to Opioid Abuse and Mental Health, touches on the most recent HIPAA guidance released by the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) regarding when and to whom PHI of patients suffering from addiction and mental illness may be shared.  Among other things, the guidance addresses disclosure of PHI to family members or friends of patients in situations where the patient is incapacitated or there is a serious or imminent threat to the patient’s health.  The guidance also addresses HIPAA’s rules on sharing PHI regarding a patient’s substance abuse or mental health with other treating physicians.

The OCR has published webpages on its website to make this guidance easily accessible and understandable to health care professionals and patients.

As always, if you have a specific question regarding your practice, please consult a knowledgeable attorney.

CMS recently issued an Advisory Opinion suggesting that physicians who refer diagnostic tests reimbursable under Medicare to a laboratory may, under certain circumstances, receive electronic pop-up notifications in the laboratory’s web-based portal alerting the physicians to various potential issues related to the test results.  In the Advisory Opinion, CMS considered certain alerts which a laboratory proposed to provide to its referring physicians without charge via the laboratory’s web-based portal.  The entire Advisory Opinion can be read here.

In short, CMS concluded that the alerts proposed by the laboratory, which would be limited to issues relating to the test results, would not constitute illegal remuneration under the federal Stark law, as long as (1) the alerts are provided solely in connection with the ordering or communication of diagnostic test results from the laboratory, and (2) appropriate safeguards are in place to avoid overutilization or medically unnecessary testing.

Some of the key safeguards that CMS found persuasive included the following:

  • Alerts recommending additional testing would be based on industry-standard, peer-reviewed guidelines;
  • The alerts would not be “overly intrusive” and would not override the physician’s independent medical judgment;
  • Where multiple additional tests would be recommended in an alert, there would be no “select all” button for the physician to click to order all of the tests together;
  • The physician could turn off the alerts for a particular disease condition; and
  • The physician could obtain the information provided in the alerts free of charge from other sources.

An advisory opinion from CMS is a rare occurrence, in comparison to advisory opinions issued by the Office of Inspector General regarding the federal Anti-Kickback Statute, which occur a number of times each year.  This is the first and only advisory opinion issued by CMS in 2017.  To that end, CMS likely considers this Opinion to be useful guidance to physicians and providers regarding their use of online web portals to order diagnostic tests.

If you or your practice has any questions regarding alerts or other benefits you may receive via a laboratory’s online web portal, please consult experienced legal counsel.