Close up of health insurance formThe New Jersey Out-of-Network Consumer Protection, Transparency, Cost Containment and Accountability Act takes effect today, August 30, 2018, and requires all licensed health care professionals in New Jersey (including physicians, nurse practitioners and physician assistants, among others) who bill health benefits plans issued or delivered in New Jersey to provide certain disclosures to patients enrolled in such Plans.

The Act also contains additional obligations for physicians, including with respect to billing certain out-of-network services.  For more information regarding the Act’s impact on health care professionals and their employers, please see our Fox Rothschild Health Law Alert.

The transportation landscape in America has evolved and these developments are now impacting health care. With about 75 percent of the U.S. population living in a county with access to an on-demand ride-hailing service, many patients are turning to ride-share services, like Uber and Lyft, as a means to obtain their medical care.

The idea of partnering ride-sharing and health care is not new. Over the past few years, ride-sharing companies have been edging their way into the health care realm. Both Uber and Lyft have been testing pilot programs involving nonemergency medical transportation (NEMT) and other non-traditional health care transportation models with major providers, institutions, insurers, and transportation brokers nationwide. Until recently, most of these programs have been limited in scope to specific health care facilities, by service (e.g., concierge services that ferry flu shots to people, or enabling users to request a doctor to provide on-demand diabetes and thyroid tests) and by patient population (e.g., Medicare Advantage, Medicaid, and limited commercial payors).

Recognizing the need for accessible and cost-efficient health care transportation is not unique to Uber and Lyft. A number of revolutionary NEMT companies have emerged in various markets to supplement traditional health care transportation options and the “Big Two” ride-share companies have partnered with many of these outside vendors to enhance an established and (presumably) compliant service offering in specific markets. Certain NEMT companies, like Veyo, American Medical Response, and Circulation, have made their own name in the NEMT space. Interestingly, both Uber (in 2016) and Lyft (in 2017) announced partnerships with Circulation, utilizing Circulation’s customizable NEMT platform to integrate with each ride-sharing companies’ application program interfaces (API) and connecting with the interfaces of the health care systems’ they service.

With these numerous initiatives, it was unsurprising this year when the Big Two made their entrance into the entire health care market official. By expanding beyond outsourced NEMT ridesharing services to predetermined health care facilities, both Uber and Lyft have launched their own platforms to allow all health care providers to schedule rides for their patients.

In March, Uber introduced and launched “Uber Health,” a distinct application from the traditional Uber app, which provides a digital portal allowing health care organizations to book rides for a patient or caregiver who need help getting to and from medical appointments. Through Uber Health, unlike traditional NEMT services (where government and certain commercial payors may reimburse the transportation company for the rides), Uber bills the health care providers who sign up for Uber health monthly based on the cost of their patients’ rides, which are on par with standard Uber rates at the time of the ride booking.

On the other hand, in 2016 Lyft first introduced a service called “Concierge,” which similarly allows health care providers to set up rides for patients to get to appointments; however, also in March of this year, Allscripts and Lyft announced their partnership to incorporate the Concierge patient transportation interface directly into Allscripts Sunrise EHR so that when a patient’s transportation needs are noted in his or her medical record, a Lyft is automatically scheduled for that patient. Similar to Uber Health, under Lyft’s Concierge service, the providers pay for the rides.

This shift in health care transportation was inevitable and providers are now able to leverage the convenience of these ubiquitous apps to ensure better experience and care for their patients; however, caution should be taken to ensure that these patient rideshares are done in a legally compliant way.

Primarily, these ride-share services raise concerns under fraud and abuse regulations. Because health care providers coordinate patient transportation through the applications, providers need to be careful about offering free or discounted rides to patients which could trigger the federal anti-kickback law. Providers who treat state and federal program beneficiaries will need to ensure that the method of delivery adheres (or as closely as possible) to the Office of Inspector General’s (OIG) safe harbor regulations applicable to free or discounted local transportation. As outlined in a prior post on this Blog, in 2016 the OIG announced a safe harbor that protects a health care provider or other eligible entity (i.e., any individual or entity, except those who primarily supply health care items) from Anti-Kickback Statute (AKS) and Civil Monetary Penalty (CMP) penalties if it provides free or discounted local transportation to Medicare patients and other federal health care program beneficiaries, so long as all of a number of conditions are met. These conditions require, among other things, that there be a written policy in place which restricts how transportation services are used and advertised, and that the transportation be available only to “established patients.” Therefore, if a health care provider attempts to advertise the availability of free rides as an inducement to grow its patient base, it could quickly find themselves paying fines, including treble damages.

Additionally, many states have their own kickback prohibitions, potentially placing limitations or restrictions on the utilization of ride-share platforms for professional services. If no government beneficiaries are seen by a provider, the provider can ultimately decide whether to pay for the service or pass some or all of the cost on to their patients. Therefore, a state-by-state analysis should be performed to assess appropriate practices prior to offering ride-share services to patients. These payment and kickback concerns will continue to develop as private insurers assess reimbursement eligibility for ride share services.

One population that has been left out of the trend to partner ride-sharing with providers are those in wheelchairs or who need transportation accommodations due to a disability. Uber, was recently sued by a San Francisco-based advocacy group for not providing wheelchair-accessible transportation, and the company is now piloting such vehicles in several cities. To the extent a health care practice is “participating” in a ride-share platform, any acts of non-compliance by the ride-share company, depending on the terms of the arrangement (or lack thereof), could potentially flow to the provider, as the ride-share companies, acknowledging their status as Business Associates, are ultimately performing the services on behalf of the provider.

This Business Associate recognition prompts the overarching patient privacy concerns inherent in the ride-sharing services. Since ride-sharing companies (and their drivers) will have access to individually identifiable and/or protected health information, providers must have appropriate Business Associate Agreements (BAAs) in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). Both Uber and Lyft have touted their proactive and preemptive compliance with HIPAA and publicized engagements of third-party HIPAA compliance companies to ensure development, implementation, and customization of the necessary safeguards for data security in the distinct APIs for their new platforms.

Uber asserts that Uber Health drivers won’t know which of their passengers are using Uber Health. Like a typical Uber ride, only a passenger’s name, pickup and drop-off addresses will be given to the Uber Health driver and Uber drivers are not able to opt into or out of the health service the same way that they can with Uber Eats, an affiliated food delivery service. Therefore, on a trip to a hospital or medical practice, a driver won’t know whether a rider is traveling to the health care facility using the traditional Uber app—to commute to work, for example—or is meeting a doctor through the health care platform.

The logic (or belief) is that although the ride-share companies are Business Associates, the companies’ drivers are not given any medical information and are not even informed that a ride is under the health care platform; therefore, the drivers are not Business Associates (or “subcontractors” under HIPAA). This concept has seemingly satisfied the outsourced risk and compliance assessments; however, the government has yet to opine as to whether individually identifiable health information (not just “medical information”) is truly kept private under HIPAA’s somewhat ambiguous standard of requiring only a “reasonable basis to believe the information can be used to identify the individual.”[42 CFR 160.103 (Individually identifiable health information)]

Additionally, to address obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, Uber is storing data from Uber Health in separate servers, meaning that only select Uber employees and the health care providers have access to patient data. Furthermore, Uber is housing everything itself and is not sharing Uber Health data with anyone downstream in its supply chain, thereby eliminating obligations to manage the transfer of data or implementing third-party vendor risk management programs. Accordingly, a breach in Uber’s servers presumably should not compromise Uber Health’s data.

Despite these safeguards and demonstrated HIPAA-compliance, risks still remain (e.g., potential data breaches). Not that long ago, Uber was hit by a cyberattack exposing the personal information of 57 million riders and drivers, and the company’s delayed public notification of the incident was disconcerting to many. Providers, as Covered Entities, participating in these ride-share platforms risk potential imposition of stiff penalties for data breaches, increasing the importance of entering into a well-drafted BAA with the ride-share company.

Uber has stated they are “pleased to sign BAAs with all participating healthcare organizations” and the Uber Health’s Dashboard Terms and Conditions provide that the “Terms shall automatically terminate upon the termination of the Business Associate Agreement that the parties separately entered into…” This acknowledgement is the first step, but it is unclear as to whether Uber has their own form BAA or will accept a provider’s form/terms for each individual relationship.

The incorporation of ride-sharing transportation into the delivery of health care services can provide benefits to both providers and their patients; however, the array of health care regulatory issues should be evaluated and assessed before signing up for such programs. If you or your practice have any questions or are interested in offering a patient ride-share program, please contact Michael Bassett at mbassett@foxrothschild.com or 215.444.7191, or any member of Fox Rothschild’s Health Law Group.

 

On Fox’s In the Weeds blog, associate Richard Holzworth discussed the influx of patients registering for the Pennsylvania Medical Marijuana Program, and provided an overview of key policy and procedure updates that PA’s healthcare facilities, including hospitals and long-term care providers, should adopt:

Illustration of Rod of Asclepius on marijuana leafDespite Pennsylvania’s medical marijuana industry being in its infancy, more than 17,000 patients have registered for the program, and more than 4,000 already have received their medical marijuana card from the Department of Health. Now that cannabis products have burst onto the scene, hospitals and other residential healthcare facilities are struggling with what to do when patients present medical marijuana cards and attempt to use marijuana in the facilities. Indeed, it is high time for the healthcare providers to update their policies and procedures to address these growing concerns.

Policy Considerations

In developing a medical marijuana policy, it is important for healthcare administrators to remember that medical marijuana, although legal in most states, is still classified by the federal government as a Schedule I Controlled Substance. With medical marijuana laws varying from state to state, hospitals, healthcare associations, and other stakeholders have developed and implemented a wide range of policies addressing the use and possession of medical marijuana products. These policies range from strict, categorical prohibitions to sanctioned self-therapy during hospital admission. Regardless of a healthcare facility’s philosophy (either from a political or medicinal perspective) on medical marijuana, it is important for each institution to develop and implement a comprehensive set of policies and procedures to address the inevitable circumstance of a patient presenting with a medical marijuana ID card or cannabis products in hand.

Due to the large volume of patient registrants to the Commonwealth’s medical marijuana program, PA physicians and their staff may see local healthcare facilities make changes to their policies and procedures with respect to medical marijuana in the coming months.

We invite you to read Richard’s full informative piece and stay tuned for our coverage of further developments.

Kristen Marotta writes:

Recently on Fox’s HIPAA & Health Information Technology blog, we discussed the privacy and security issues arising from the growth of telemedicine, as well as the general benefits that such growth could have for recent medical graduates. Now, with more funding and attention being given to telemedicine, new physicians will have the opportunity to make a difference in rural health care and move the industry into an entirely new direction.

The New York City skyline, including the Empire State BuildingIn New York, recent funding has been made available through the New York Office of Mental Health (OMH) to expand the use of telemedicine in the treatment of mental health patients. This new funding stream for “telepsychiatry” provides a new avenue for the practice of psychiatry in New York and provides a unique consideration for New York physicians considering the practice of psychiatry for their long-term career.

Psychiatrists or physicians considering the practice of psychiatry should familiarize themselves with the OMH’s regulations on telepsychiatry services set forth in Title 14 of the New York Code, Rules and Regulations (NYCRR), including Part 596, which recently expanded the ability of physicians to practice telepsychiatry outside of outpatient clinic settings, including between OMH-licensed sites and provider sites enrolled in New York State Medicaid. A summary of the current regulations, as well as additional guidance on telepsychiatry in New York, can be found on the OMH website. In particular, we note a comprehensive checklist and guidance published by the OMH in early 2017 regarding provider responsibilities in practicing telepsychiatry.  We also note that privacy and security concerns are discussed in this checklist. Providers rendering telepsychiatry services must comply with all federal HIPAA laws and regulations, in addition to New York’s Mental Hygiene Law Section 33.13.

Due to the nature of telepsychiatry (or any type of telemedicine), it is important for providers to remember that there are two physical locations where protected health information of patients is potentially used and disclosed. For telepsychiatry in New York, the policies and procedures at the distant site must match those of the originating site exactly. In addition, both sites must meet “the minimum standards for privacy expected for patient-clinical interaction at a single Office of Mental Health licensed location.” [14 NYCRR 596.6(b)(2)(ii)]. For confidentiality purposes, when physicians practice telemedicine of any type, they should abide by the same rules as they would for written clinical medical records.

In addition to the highly technical components discussed in the OMH’s guidance, providers will also need to substantively update their policies and procedures. Two examples that providers should note are as follows. First, written protocols and procedures relating to telepsychiatry should be developed and followed. These policies and procedures should include a special provision for obtaining a patient’s informed consent before recording telepsychiatry sessions. Second, staff trainings must include the topic of telepsychiatry and technical training of telepsychiatry equipment. Staff will also need to be “immediately available” to attend to emergencies and other concerns during the patient’s actual telepsychiatry session. [14 NYCRR 596.6(b)(7)(iii).]

Stay tuned to Fox Rothschild’s Physician Law blog for updates on how developments in the practice of telemedicine in New York and other states affect physicians.


Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

[For more information on CMS’s new Quality Payment Program and what physicians need to report in 2017, please see our prior blog posts here and here.]

CMS recently issued guidance (accessible here) on the three-part “Prevention of Information Blocking” attestation which physicians and other eligible clinicians will need to submit to CMS in order to qualify for points under the “Advancing Care Information” category of the Merit-based Incentive Payment System (MIPS).

Although making this attestation and reporting to CMS regarding use of certified EHR technology (CEHRT) is not required to avoid a penalty under the MIPS for 2017, many physicians and group practices wish to report as much as they reasonably can to seek a high score under the MIPS and a positive payment adjustment to their Medicare reimbursements in 2019.

The three-part attestation centers on the representation that the physician/group practice will not knowingly and willfully limit or restrict the compatibility or interoperability of its CEHRT.  CMS’s guidance makes clear that physicians and group practices making the attestation must use good faith and reasonable efforts to enable the exchange of electronic health records between appropriate parties.

According to CMS, examples of situations where access to CEHRT could be reasonably restricted include:

  1. System Maintenance — Disabling CEHRT for as long as reasonably necessary to complete system maintenance, provided that requests for access to EHR information during such time period are responded to when practical;
  2. Security Concerns — Blocking access to CEHRT when reasonably necessary to ensure the security of EHR information, provided that the blocking was narrowly tailored to the bona fide threat; and
  3. Patient’s Health and Well-Being — Restricting access to certain information (such as a patient’s sensitive test results), if the clinician reasonably believes that the restriction is necessary to protect the patient’s health or well-being. In the case of sensitive test results, CMS suggests that restricting access to the results could be reasonable until the physician or clinician who ordered the test has reviewed and appropriately communicated the results to the patient.

CMS expects that physicians and group practices making the attestation will ensure that their organizational policies and workflows will not restrict functionality of the CEHRT in any way, and that they will work with their CEHRT vendors to ensure that the CEHRT is fully functional.

If you or your practice will be reporting EHR data to CMS under the MIPS for 2017, a full review of CMS’s guidance on the attestation is recommended (see the five-page guidance here).  All physicians and practices reporting EHR data under the MIPS have until March 31, 2018 to report the data and make the attestation.

As first reported on our sister blog, “In the Weeds” (post accessible here), on July 26, 2017, the Pennsylvania Department of Health opened its Medical Marijuana Practitioner Registry.  Physicians licensed in the Commonwealth of Pennsylvania may now apply online to register to certify the use of medical marijuana for their patients.  The online application may be completed here.

Medical marijuana in jar lying on prescription form
Copyright: megaflopp / 123RF Stock Photo

The Practitioner Registry will be publicly searchable and will include each practitioner’s name, business address, and medical credentials.  As noted in one of our prior blog posts on the subject (accessible here), it is still unclear whether practitioners may represent on their own practice websites that they are registered with the Pennsylvania Department of Health to certify the use of medical marijuana.

In order to complete the registration process, physicians will be required to complete a four-hour training program on the use of medical marijuana to treat serious medical conditions.  As part of its Press Release on the opening of the Practitioner Registry, the Department of Health has announced that the following two continuing education providers have been approved to offer the training program to practitioners at this time:  Answer Page Inc. and Extra Step Assurance LLC.  Further information on the training courses can be found at the companies’ websites.

For more information on Pennsylvania’s Medical Marijuana Program and how it applies to practitioners, please see our prior blog post on the subject (link), as well as the state website for the Program (accessible at this link).  According to the Press Release, Pennsylvania’s Medical Marijuana Program is still on track to be fully implemented in 2018.

On June 20, 2017, The Centers for Medicare & Medicaid Services (“CMS”) released a proposed rule which would exempt a greater number of small practices from complying with the  Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”).

CMS’s Administrator, Seema Verma has been quoted as saying that CMS has “heard the concerns that too many quality programs, technology requirements and measures get between the doctor and the patient. . . That’s why we’re taking a hard look at reducing burdens. ”

In order to accomplish this goal, CMS proposes to now exempt physician practices with less than $90,000 in Medicare revenue or physicians with fewer than 200 unique Medicare patients.  The current rule only exempts physician practices that have less than $30,000 in Medicare revenue or fewer than 100 unique Medicare patients.  This proposed rule could mean another 834,000 clinicians could be exempt from the quality reporting under MACRA.

While this seems like a large increase in the number of physicians that are exempt, a recent Modern Healthcare article notes that “65% of Medicare payments would still be reported under methods that adhere to MACRA even if this draft rule were finalized.”

If you are interested in commenting on the proposed rule you may do so through August 30, 2017.  The proposed rule can be found at the following website: Proposed Rule.

If you would like more information about MACRA please see the Fox Rothschild Health Law Alert – Medicare Quality Payment Program from January 2017.

As previously reported on our Physician Law Blog (see our post here), the Pennsylvania Department of Health issued draft “temporary” regulations regarding physician registration and certification of medical marijuana on April 11, 2017.   Following a brief comment period, the Department finalized its “temporary” regulations in the June 3, 2017 issue of the PA Bulletin.  A copy of the final regulations can be viewed here.

Medical marijuana in jar lying on prescription form
Copyright: megaflopp / 123RF Stock Photo

The regulations are labeled “temporary” because they were adopted to implement PA’s new Medical Marijuana Program.  As a result, they will expire in two years, unless made permanent by the Department.  However, for the first year of the Program, these regulations will govern the registration of any physician who wishes to certify the use of medical marijuana for his or her patients.  The Department has confirmed in a related press release that the Medical Marijuana Program continues to be on schedule for full implementation in early 2018.

The final physician regulations make a few notable changes to the draft regulations, but also leave physicians with some lingering questions regarding the registration process, advertising their certification services, and charging fees for re-certifying the use of medical marijuana for existing patients.

Notable Changes

1.    The publicly available Practitioner Registry maintained by the Department will include only the practitioner’s name, business address and medical credentials (as opposed to the practitioner’s phone number and/or email address).  [See 28 Pa. Code 1181.25].  As a result, a prospective patient seeking a physician on the Practitioner Registry will need to take the extra step to conduct a web search on the physician in order to locate the physician’s contact information.  While this may encourage physicians registered to certify the use of medical marijuana to ensure that their practice websites clearly advertise their services, physicians should note that the Medical Marijuana Act and these regulations prohibit a physician registered to certify the use of medical marijuana from advertising the physician’s marijuana certification services.  It is unclear to what extent this prohibition will permit practice websites to note that one or more of the practice’s physicians are registered to certify the use of medical marijuana.

2.    A physician’s certification for the patient’s use of medical marijuana will now be required to include a statement as to the length of time (which cannot exceed 1 year) for which the practitioner believes the use of medical marijuana by the patient would be therapeutic and palliative.  [See 28 Pa. Code 1181.27(a)(6)].  The certification will also be required to include the recommendations, requirements or limitations as to the form or dosage of medical marijuana appropriate for the patient or a recommendation that the patient speak only with a medical professional employed by, and working at, the dispensary regarding the appropriate form and dosage of medical marijuana.  [See 28 Pa. Code 1181.27(a)(7)].

3.    Under the final regulations, physicians may not receive or provide medical marijuana product samples, and may not serve as a designated caregiver for a patient for whom the physician has issued a certification for medical marijuana. [See 28 Pa. Code 1181.31].

4.    Under the Act, physicians will be required to complete a 4-hour training course on various aspects of the use of medical marijuana in the treatment of serious medical conditions, in order to qualify for registration.  The Department confirmed in these final regulations that it will maintain on its website a list of approved training providers offering the 4-hour course for reference by physicians seeking registration.  [See 28 Pa. Code 1181.32].

Remaining Questions

As first raised in our prior blog post on the Department’s draft temporary physician regulations, the Act and the draft regulations appeared to leave two key questions unanswered.  First, will the physician registration process be electronic or require paper application?  And second, can a physician accept payment from existing patients for re-certifying the use of medical marijuana for those patients?

The Department failed to answer those questions in the final physician regulations. Regarding the former, we will eventually find out how the Department will operate the registration process when it announces the opening of physician registration.  However, regarding the latter, which arises out of the unclear drafting of the Act and these regulations, an answer may require further inquiry with the Department.

I also note that, as raised above, it is unclear whether registered physicians will be able to list on their websites that they are registered to certify the use of medical marijuana.

Stay tuned to the Fox Rothschild Physician Law Blog for updates on physician registration for certification of the use of medical marijuana in Pennsylvania.

Should you have any questions regarding the registration process or what obligations a registered physician will have under the Act, please contact an experienced healthcare lawyer.

Earlier this month, a New York man was sentenced to 10 years in prison for allegedly operating a $26 million scheme to defraud Medicare and Medicaid. The defendant allegedly established 6 medical clinics in Brooklyn that paid elderly people to pose as patients and billed Medicare and Medicaid for unnecessary and/or non-existent medical care and equipment. The defendant, who was not a doctor, operated the six clinics between 2007 and 2013, but because New York’s corporate practice of medicine doctrine requires that such clinics be owned and operated by licensed healthcare professionals, he found three physicians to serve as nominal clinic owners. The allegations included that the physicians would periodically come to the clinic to sign medical charts for patients who they never treated, and for others, prescribe unnecessary medications, procedures and supplies. The clinics allegedly incentivized elderly patients to seek “treatment” at the clinics through cash kickbacks.

In addition to his prison term, the defendant was ordered to pay $16,686,811 in forfeiture and a restitution order of $18,683,691. Although this was an extreme “billing mill” case, the severity of sentencing highlights the importance of billing compliance obligations. Also, since New York law strictly prohibits unlicensed individuals, such as the defendant, from owning medical clinics and/or influencing medical decision making, clinics should ensure that such functions are exclusively reserved to its licensed healthcare providers. The corporate practice of medicine doctrine varies from state to state, so we recommend that you contact a knowledgeable and experienced healthcare attorney in your state if you have any questions regarding these requirements.

USA Today, New York Times, BNA, and several other news outlets have been reporting over the last few weeks about non-competition agreements and non-compete laws especially related to low-wage workers.  There have been interesting changes and proposed changes to state laws that may affect several industries including healthcare.

In a recent article on Law360, titled “Noncompete Agreements Under Siege At The State Level,” the authors highlighted some developments in non-compete law.  They posit that many areas of employment and labor law have seen changes, but the law of noncompetition agreements has been relatively static.  Until recently, most changes came from case law in this area of law; however, more recently we are seeing that many state legislatures are taking up the issue.

Some states like Massachusetts, Oregon and Missouri are offering laws which include broad prohibitions on the enforcement of noncompetition agreements.  However these proposals have not made much legislative progress according to the authors.

Other states have offered legislation that has health care industry-specific prohibitions.  For example, the authors note that last year Rhode Island enacted legislation that effectively renders physician noncompetition agreements void and unenforceable, while Connecticut imposed new limits as to when noncompetition agreements can be enforced.

According to the authors, in 2017 the trend is continuing.  West Virginia enacted a statute regarding physician noncompetition agreements, which limits the ability to enforce such provisions.  The authors state:

Measures have also been introduced recently in Pennsylvania, Minnesota, Oregon (home care workers), New Mexico (certified nurse practitioners and midwives), and Connecticut (homemakers, companions and home health aides) that target noncompete enforcement against physicians and others in the health and medical profession. (emphasis added)

Low-wage employee non-compete clauses have also come under scrutiny.  The authors note that this year several states have or are currently considering income-based restrictions, including Massachusetts, Maine, Maryland (did not pass), and Washington.

With the landscape of this very important issue changing, individual healthcare providers, their employers, and anyone else who uses, or is subject to, non-compete provisions will need to keep on top of developments to their state’s specific laws.  As the laws change, it will be more important than ever to have non-compete provisions and agreements reviewed or re-reviewed to ensure you understand the effect of such changes.