The continuation of the COVID-19 public health emergency (PHE) and consumer demand for digitally delivered healthcare not only necessitated the shift from in-person to virtual care, but also continued to drive interest, adoption, investment and transactions in digital health in 2021. Digital health funding in 2021 far surpassed 2020’s totals, with no signs of slowing down in 2022, and the potential permanence of some regulatory flexibilities beyond the PHE are charting a course for continued digital health growth in 2022 and beyond.
TELEHEALTH UPDATES AND IMPLICATIONS FOR CY 2022
On November 2, 2021, the Centers for Medicare & Medicaid Services (CMS) published the calendar year (CY) 2022 Medicare Physician Fee Schedule (MPFS) final rule, which went into effect Jan. 1, 2022, and includes coverage extensions for certain telehealth services added during the COVID-19 PHE, such as:
Extension of coverage for services temporarily added to the Medicare telehealth services list (Category 3 services) through the end of CY 2023.
The permanent adoption of HCPCS Code G2252 for extended virtual check-ins, established on an interim basis in the CY 2021 MPFS.
While the final rule includes coverage for several new virtual care services in 2022, such as remote therapeutic monitoring (RTM), CMS did not approve requests to make these coverage extensions permanent. Per CMS, the extension of Category 3 services coverage through CY 2023 will allow more time for evaluation.
The final rule also includes multiple provisions for mental health telehealth services, including
Coverage for audio-only telehealth services in the patient’s home for the diagnosis, evaluation, or treatment of a mental health disorder, provided certain conditions are met, including the requirement of in-person visits at least every 12 months
Mental health telehealth visits can originate from within a patient’s home. As provided for under the Consolidated Appropriations Act, providers can offer mental health services via telehealth without complying with typical originating site and geographic restrictions, provided that certain conditions are met, including that the patient receive an in-person visit prior to the telehealth visit and at least every 12 months thereafter.
For Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs), CMS is allowing audio-video and audio-only telehealth services for the purposes of diagnosis, evaluation, or treatment of a mental health disorder.
Physicians can deliver Opioid Use Disorder (OUD) therapy and counselling services using audio-only technology, in instances where two-way video is not available
TELEHEALTH REGULATORY UPDATES TO WATCH FOR IN 2022:
There are still many regulatory unknowns that will take shape in the coming months. For example, expect to see ongoing changes in telehealth coverage policies, affecting not only general medical and behavioral healthcare, but an increasing number of specialties.
There are still many regulatory unknowns that will take shape in the coming months. For example, expect to see ongoing changes in telehealth coverage policies, affecting not only general medical and behavioral healthcare but an increasing number of specialties. Providers using teledentistry and teleoptometry, for example, must stay up-to-date on the latest regulations to ensure they are operating in a consistent, complaint manner and are adequately prepared for changes if/when the PHE telehealth waivers are lifted.
Another open matter in the ongoing PHE (and thereafter) relates to enforcement of the Ryan Haight Act, which requires practitioners issuing a prescription for a controlled substance to conduct an in-person medical evaluation or conduct a video/audio communication in a DEA-registered facility. The Drug Enforcement Administration (DEA) initially loosened remote prescribing restrictions of Schedule II through Schedule V controlled substances in January 2020, allowing providers to electronically prescribe controlled substances without first conducting an in-person examination during the PHE, provided certain conditions are met. Despite the relaxation of this requirement at the federal level, providers must ensure that they continue to comply with state law requirements for controlled substances – which may independently require an in-person examination.
At the state level, as of January 2022, 42 states and the District of Columbia already have telemedicine parity language in place, with others following suit. However, given that states reimburse at different rates, mental health and telehealth businesses looking to expand to other states should do their research on reimbursement rates across the country to increase stability and chart the most strategic course for growth. States continue to update their telehealth laws and regulations, frequently providing clarification and sometimes loosening licensing requirements making it easier for out-of-state practitioners to provide services. The environment remains a patchwork, however, and careful review of state licensing and prescribing requirements remains necessary.
Going forward, providers must track regulatory developments related to the prescription of controlled substances and enforcement of original provisions in the Ryan Haight Act as well as state-level developments.
The industry must also watch for potential permanent fixes to originating site and geographic restrictions on Medicare telehealth coverage, which have been proposed in The Telehealth Modernization Act of 2021 (HR 1332) and the CONNECT for Health Act of 2021 (S 1512).
INTEROPERABILITY AND DATA SHARING
With the Cures Act’s information blocking provision now in full swing, regulated organizations must have the capabilities in place to share healthcare data. Organizations that interfere with the access, exchange, or use of electronic health information (EHI) are subject to penalties. The law excludes practices required by applicable law(s) or if they meet an exception established by the Department of Health and Human Services (HHS) Secretary.
Important upcoming deadlines include:
Through October 5, 2022, the provision only applies to data elements represented in the United States Core Data for Interoperability (USCDI Version 1).
On and after October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in § 171.102.
“Organizations regulated by the Cures Act information blocking provision should take steps to ensure EHI is prepared to comply with October 2022 deadlines.”
To prepare for October 2022, the Department of Health and Human Services’ (DHHS) Office of the National Coordinator for Health IT (ONC) recommends that the regulated community:
Subject to applicable HIPAA requirements, share more EHI than required in the USCDI Version 1, if possible, and not wait to begin doing so.
Have a goal of making all EHI available as soon as possible, as if the scope of EHI were not currently limited.
HIPAA ENFORCEMENT DISCRETION
In January 2021, the United States Department of Health and Human Services, Office for Civil Rights (OCR) announced a notification of enforcement discretion relating to certain aspects of HIPAA that provides Covered Entities some flexibility in providing remote care during the PHE. Specifically:
The OCR will not impose penalties for non-compliance with the regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth services, regardless of whether the services are related to diagnosis and treatment of health conditions associated with COVID-19.
A covered health care provider that chooses to use audio or video communication technology to provide telehealth to patients during the PHE may use any non-public facing remote communication product that is available to communicate with patients.
HHS also published proposed modifications to HIPAA in early 2021. It is possible that some of these changes intended to increase permissible disclosures of PHI, improve care coordination and case management and increase individual access to PHI will be adopted in 2022, and will have a ripple effect throughout healthcare payer and provider organizations’ compliance departments. For example, the modifications would necessitate updates to policies and procedures, business associate agreements, notices of privacy practices and other HIPAA-related compliance issues.
“It is possible that some of these changes… will have a ripple effect throughout healthcare payer and provider organizations’ compliance departments.”
HEALTH BREACH NOTIFICATION RULE
On September 15, 2021, the Federal Trade Commission (FTC) voted to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318. This rule applies to health apps and connected devices that are not subject to HIPAA, but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs) that connect to other services on a device, like a calendar app.
The FTC’s latest position on the Health Breach Notification Rule for digital health apps and connected devices is as follows:
Developers of mobile health apps or connected devices are “healthcare providers” for purposes of the rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and
Any mobile health app is covered by the rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source
This policy has broad implications for consumer mobile health, wellness, fitness and other apps that fall within the scope of this new guidance. For example, a covered app developer’s disclosure of individually identifiable health information to a thirdparty analytics provider without the consumer’s authorization likely triggers the breach notification provisions of the rule, unless the entity “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
To ensure compliance, developers of mobile health apps and connected devices should continue to evaluate their products and services in light of this policy statement and resulting enforcement activity, and should consider whether to obtain individual authorization for disclosures of individually identifiable health information made by the developer.
This policy has broad implications for consumer mobile health, wellness, fitness and other apps that fall within the scope of this new guidance.
STATE-LEVEL PRIVACY AND CONSUMER DATA PROTECTION LAWS
With an array of new consumer privacy laws set to take effect in 2023, in-house counsel and privacy professionals have their work cut out for them in aligning their businesses with the expanding patchwork of state laws. As an initial step, digital health companies should evaluate whether they meet the applicability requirements for their state’s particular laws, including whether they qualify for an exemption from the law because the health information they hold is regulated by HIPAA or other applicable state health information privacy laws.
To date, three states have enacted new consumer data protection laws that will go into effect in 2023. The Colorado Privacy Act (CPA) will take effect July 1, 2023, just six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA), the successor to the California Consumer Privacy Act, become effective.
For digital health companies that are subject to these laws, an important second step will be evaluating exposure to the new “sensitive data” requirements by updating or creating data maps that include sensitive data categories covered by these laws, establishing process for responding to consumer requests and updating privacy policies and notices to accurately reflect data collection and use practices. Finally, companies should be careful not to design their programs too narrowly. State legislative activity is expected to pick back up when many state legislatures reconvene in early 2022, so with future developments in mind, companies should focus on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.
State legislative activity is expected to pick back up when many state legislatures reconvene in early 2022, so with future developments in mind, companies should focus on creating dynamic and “agile” privacy programs that can react quickly and adapt to the changing landscape.
MEDICARE PROMOTING INTEROPERABILITY PROGRAM
CMS also released updates to its Medicare Promoting Interoperability Program in 2021, an initiative focused on improving data exchange and EHR usability for better patient safety. Some of the biggest update implications for hospitals and health system reporting requirements include:
Hospitals participating in the interoperability program must finish ONC’s Safety Assurance Factors for EHR Resilience Guides beginning in 2022.
Eligible hospitals complete an annual self-assessment of their EHRs using ONC-sponsored safety guidelines.
Retaining the public health registry reporting and clinical data registry reporting measures for hospitals, making them optional and available for bonus points beginning with the EHR reporting period in CY 2022.
Hospitals and health systems should be prepared to work closely with their EHR vendor partners and legal experts to ensure compliance with CMS’ new rules.
NEW TECHNOLOGY ADD-ON PAYMENT (NTAP) UPDATES
On August 2, 2021, CMS issued the final rule for FY 2022 Medicare Hospital Inpatient Prospective Payment System (IPPS) and Long-Term Care Hospital (LTCH) Prospective Payment System (PPS).
The final rule includes a variety of updates intended to improve hospital and health system readiness and response to PHEs, including:
New Technology Add-on Payment (NTAP) extension: CMS granted a one-year extension for 13 technologies for which the new technology add-on payment would otherwise be discontinued beginning FY 2022. Medicare will reimburse up to an additional 65 percent (75 percent for certain antimicrobials) of the cost of the approved new technology, plus the applicable MS-DRG payment rate
New COVID-19 Treatments Add-on Payment (NCTAP) extension: CMS is extending the NCTAP for eligible COVID-19 products through the end of the fiscal year in which the PHE ends. When applicable, hospitals will be eligible to receive both NCTAP and the NTAP, with the new technology add-on payment reducing the NCTAP amount accordingly.
NTAP technology additions for FY 2022: CMS approved 19 technologies that were submitted for NTAP for FY 2022, including 9 technologies under the alternative pathway for new medical devices that are part of the FDA Breakthrough Devices Program. See here for more detailed information.
WHAT TO WATCH IN DIGITAL HEALTH DEALMAKING, DEVELOPMENT AND ADOPTION
Given the rapidly changing healthcare environment and increasing reliance on digital health solutions, providers, payors, employers and solutions developers must pay careful attention to the shifting regulatory landscape. Business imperatives should include the following:
Clearly defined and empowered governance and operating structure in place at the enterprise level to ensure proper oversight of digital projects while enabling swift execution and improvement.
Executive champions and individuals focused on overseeing the implementation of digital projects and dedicated teams focused on digital program design, launch, optimization, and user experience.
Functional support teams (e.g., IT, legal, finance, clinical) in place, as well as teams focused on agile program development and realtime program performance tracking.
Defining success and measuring outcomes at every stage of product development and implementation, including when navigating vendor relationships.
As the digital health boom continues in 2022, there are a variety of legal, clinical, operational regulations that healthcare organizations must carefully track, evaluate, and prepare for going forward. Without proper due diligence, organizations risk being in a perfect storm of regulatory non-compliance, at risk of incurring fines, harming patients, causing breaches of fiduciary duties, harming institutions, and deal termination.
As the digital health boom continues in 2022, there are a variety of legal, clinical, operational regulations that healthcare organizations must carefully track, evaluate, and prepare for going forward.
2022 DIGITAL HEALTH OUTLOOK
In 2022, we can expect to see ongoing investor interest and strategic dealmaking with companies specializing in telehealth, remote patient monitoring and other platform-based solutions that focus on improving care access and engagement. We will also continue to see a high volume of M&A activity and digital health adoption, with a focus on solutions that enable value-based care, and the policy implications to support it. Against this backdrop of competitive dealmaking, digital health companies and their investors must also keep a close eye on the evolving regulatory landscape impacting the space.
Sam Siegried also contributed to this article.