AHLA's Speaking of Health Law

Hot Topics in Telehealth: What to Expect in 2026

American Health Law Association

Share episode

Jennifer Breuer, Partner, Faegre Drinker Biddle & Reath LLP, Sean Sullivan, Partner, Alston & Bird LLP, and Adam Greene, Partner, Davis Wright Tremaine LLP, discuss some of the latest trends and developments in the world of telehealth, as well as what to expect in 2026. They cover issues related to reimbursement (including the future of telehealth flexibilities), privacy and security, and other compliance risks. Jennifer is editor, and Sean and Adam are co-authors, of AHLA’s new Telehealth Law Handbook, Third Edition.

Watch this episode: https://www.youtube.com/watch?v=7-tPb_XNUzk

Learn more about AHLA’s new Telehealth Law Handbook, Third Edition: https://store.lexisnexis.com/ahla/products/ahla-telehealth-law-handbook-ahla-members-grpussku5629963.html 

Essential Legal Updates, Now in Audio

AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.

Stay At the Forefront of Health Legal Education

Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.

SPEAKER_00:

This episode of AHLA Speaking of Health Law is brought to you by AHLA members and donors like you. For more information, visit americanhealthlaw.org.

SPEAKER_03:

So, hello. Today we're um talking about uh AHLA's new telehealth law handbook. Um I am the editor of the third edition that just came out, and I am here today with some of my co-authors. Um I'm Jennifer Brewer, uh partner at Pagree Drinker in our Chicago office. I'm here also with Adam Green, a partner with at Davis Wright and Tremaine in the DC office, and Sean Sullivan, a partner in Austin and Bird's Atlanta office. We're going to be talking through some hot topics in telehealth, um, some of which were discussed in the book, and some of which are just timely things that have come up in our practices. Um, let's start with reimbursement, since here we are in the middle of January, and we know that there are some potential significant changes coming. Um let's start there. Sean, do you want to talk a little bit about what happens, what's happening today and what might or might not happen on January 31st?

SPEAKER_01:

Yeah, sure, sure. So uh so thanks for having me, Jen, and appreciate you know, AHLA had had this opportunity to uh to do this podcast. But we're kind of in an interesting time right now, and frankly, it's been it's been kind of an interesting time over the last five years since the COVID-19 pandemic and the public health emergency and the end of the public health emergency. But we are recording this on January 15th. Um, the the current budget and um and funding for the government extends through January 30th, uh January 30th, 2026. And the way that the government, the way that Congress has been extending these telehealth flexibilities that have been in place since the beginning of COVID has really been through the um through the through the continuing resolutions that have extended the budget and funded the government. So that means that because right now we only have funding of the government through January 30th, 2026, that means that all of the COVID-19 related Medicare telehealth flexibilities that have been in place for the last five plus years, those will go away as of January 30th, 2026. So absent any additional legislation, the Medicare telehealth policy essentially snaps back to those pre-COVID-19 rules, bring back things like geographic and originating site requirements, um, who can actually provide, who are the eligible providers to be able to provide telehealth services, certain in-person requirements for mental health services, um, maybe even audio-only services may go away. So all of those will snap back to what was previously the traditional Medicare requirements for providing telehealth. And so this is, I mean, this is a you know, serious concern, a serious problem. It's really a core strategic or operational concern for a lot of telehealth companies on what to do after January 30th. But that said, this has been a problem that we've been encountering every six months or so for the last couple of years.

SPEAKER_03:

Um, any any insights or thoughts on what might happen um in the next couple of weeks?

SPEAKER_01:

Well, yeah, I can um, I mean, I expect, and I know that there is broad bipartisan support for extending the telehealth flexibilities. So I would expect that any budget that is passed would include extension of those telehealth flexibilities. But that said, I just don't know if there's going to be a budget passed by January 30th, 2026. And the way that Congress has been going the last couple of years, especially just over the last year, is we get right up to these um, you know, budget deadlines and Congress fails to fails to pass anything or passes something at the very last day. But to the extent that something does get passed, I would expect there to be telehealth flexibilities, an extension of that. I don't expect for it to be permanent yet, although I think everybody in the industry would love for us to have those those telehealth flexibilities eventually made permanent, but there's been a lot of reluctance to to ultimately make those um, you know, make those telehealth flexibilities permanent. So I expect another extension to go along with the budget. The big question on my side is is that budget going to be passed and when would it be passed? And there may be some some lag period between when the government may actually shut down, between when those telehealth flexibilities go away and when they may be you know reenacted.

SPEAKER_03:

Right. Um do you think that uh we should expect um any any let's talk a little bit about and what we're really talking about here is Medicare, of course, um and and Medicaid um things that the government pays for. We know that a lot of telehealth has moved to direct-to-consumer. Um, and that really means at least for for Medicare covered services, many of those services aren't covered by Medicare anyway. Um and right, they don't they don't take take cash pay reimbursement, but for more traditional telehealth providers, this is going to be a big, a big change since over the past you know several years, we've been able to see our doctors and clinicians have been able to get reimbursement for that from anywhere. Um, if we go back to the pre-2020 days, um, we're really back to you know uh reimbursement only in for for uh telehealth services only in rural rural communities, right? And only when people actually show up at facilities.

SPEAKER_01:

That's right. We'd be snapping back to those original traditional pre-COVID uh requirements. And essentially, um, you know, this has been talked about before, but those are there's essentially five traditional Medicare telehealth requirements. The originating site needs to be somewhere other than the patient's home. It has to be an eligible originating site, like a physician practice or a hospital or a nursing facility. Also, that originating site has to be in a rural area. So you can't provide telehealth that's reimbursed by Medicare in a city, which is a significant limitation. There's also a bunch, there's a list of practitioners that can provide telehealth. It does not include therapists like physical therapists, occupational therapists, speech language pathologists, and those types of practitioners have been doing a lot of a lot of telehealth over the last couple of years since they've been permitted to. But again, they are not permitted under those, under those traditional telehealth rules. You also have to have a qualifying technology, which is an audio-video synchronous connection, with some exceptions, but but a lot of those audio only or telephone only telehealth services will no longer be permitted. Um, and then the fifth element is really there may not be a change to that. That is, it must be a qualifying telehealth service listed on the CMS list. Would not expect that to change. That is not a statutory issue. That's really a CMS policy issue. So I wouldn't expect that to change, but but that list has grown substantially over the last five years since COVID and since the end of the PhE.

unknown:

Yeah.

SPEAKER_03:

Let's talk a little bit about Medicare Advantage because what we're really talking about is traditional Medicare reimbursement. Uh, what happens with Medicare Advantage?

SPEAKER_01:

So these rules don't expressly apply to Medicare Advantage, and Medicare Advantage should have a lot more flexibility. It's not necessarily bound by these rules. And MA plans can offer supplemental benefits that have telehealth that um telehealth as an option that is not connected to these traditional telehealth rules. So there's still going to be flexibility with Medicare Advantage uh rules. And last time this happened back in September, CMS did issue some, I forget if there were advisories or some sort of transmittals that talked about how this applies to Medicare Advantage plans. And the Medicare Advantage plans can, in fact, provide supplemental telehealth benefits that go above and beyond what these statutory requirements would be. So I don't expect it to, you know, to hit MA plans and their beneficiaries directly and be and be a problem. It's just, and frankly, you know, I don't expect it to be a problem in the industry because I do expect, and we do think there's bipartisan support for this to be extended. There's just, frankly, a lot of confusion in the industry. And every time one of these cliffs starts coming up, then we get a ton of questions from telehealth practitioners, from providers, from technology companies on what it means. And a lot of the a lot of the advice I give, you know, when we're leading up to these things is look, it's not going to be as bad as we think it's going to be. Yes, that's a possibility, but we we certainly expect for the extensions to take place, but we can't guarantee it.

SPEAKER_03:

You know, there's been a lot of discussion. I mean, sort of every time this comes up, which has been, you know, uh over the past five years, pretty frequently, there's been a lot of discussion um about why uh Congress hasn't just made telehealth permanent um and the flexibility is permanent. And I, you know, leading up to the pandemic, there was a whole lot of concern of misuse and overuse of telemedicine, that word old ladies would be calling their doctors, and that would cost the Medicare system um an awful lot of money. Um I'm not sure that, you know, I don't think that that has proven itself to be true, but I'm also not sure that anybody's really ready to say that, you know, telehealth for all for you know, all or most situations is really what Medicare is going to pay for going forward.

SPEAKER_01:

Yeah, yeah, I think that's right. Um and there was a lot of discussion, I think, about about the cost, exactly exactly what you said cost, the potential for fraud, you know, how much is this gonna cost the the government if we allow if we allow Medicare to reimburse telehealth in almost any situation, the same as we're we're reimbursing in-person services. Um, and then when COVID happened, um all of these flexibilities immediately went into place. Congress passed a statute that um the CARES Act that opened up these flexibilities, and then CMS implemented it. And so we had a bunch of these flexibilities. And frankly, for the first couple of months, telehealth did shoot up because everyone was staying in their homes. But as the world started opening back up, um the use of telehealth has kind of leveled off. Um, but I think that the concern from Congress's perspective was the data that we have for how telehealth is used and how much it costs us was during the public health emergency. So we had three years up until I think May of 2023 of the public health emergency when these flexibilities were in place. And we know how much telehealth was used at that time, we know how much it cost at that time. And then I think what Congress really wants to study now and to understand is what does it look like when we're not in a public health emergency? What does it look like when we're not in a pandemic? And with these expanded flexibilities to provide um Medicare telehealth, when we're not in a pandemic, how much is that going to cost us and how much do people actually use it? But now it's 2026. So now it's been almost three years of that non-pandemic, non-public health emergency with those flexibilities. So I would imagine that the Congressional Budget Office and Congress and CMS and all of these agencies that study these issues have enough data or should have enough data to really understand how much it's gonna cost and how much is it actually used. But at the same time, Congress just has a lot of problems over the last couple of months and over the last year in particular of getting anything done. So I think that's really our obstacle now is not necessarily having enough data to know how it's gonna be used and how much it costs, but really getting Congress to get their act together and come together and pass something on a bipartisan basis that's gonna be meaningful for the country that is permanent and not just a temporary kick the can down the road. So that's I think that's the issue we're dealing with.

SPEAKER_03:

Great. Um, what about um Medicaid? Are we seeing changes or issues that we should talk about in Medicaid reimbursement uh for 2026 and go beyond?

SPEAKER_01:

Well, Medicaid, you know, it's state, it's primarily state-driven. It's not federally standardized across the states, and states do have broad discretion to determine exactly how they're gonna reimburse for telehealth and what kind of what modalities to cover, what providers can bill, and all of those issues we talked about for Medicare. And Medicaid for Medicaid programs, the states largely have their own ability to determine when they're gonna pay for Medicaid. Sorry, when they're gonna pay for telehealth services through the Medicaid program. Um, you know, typically most, I think virtually all Medicaid programs do reimburse telehealth to some extent. Um, and we've seen a great expansion of that again since the since the pandemic over the last five years. So if there's a lot more, there's been a lot more growth in reimbursement in telehealth and some interesting things that Medicare doesn't actually do, such as reimbursing uh ambulances for providing telehealth services or serving as an originating site for telehealth services when the ambulance may not actually transport the person home. There's some states that have implemented things like that. So you're seeing some more innovation on the state Medicaid side. Um the problem is it's just a real patchwork, and that can be a challenge for national healthcare providers that are providing services in every state, and including states that may be reimbursed or services that may be reimbursed in different states by Medicaid. So, you know, that can be challenging, but it also is you know an opportunity and it's good to see that there's been more expansion among a number of different states for Medicaid and telehealth.

SPEAKER_03:

How about um commercial insurance and their approach to telehealth coverage? Do you see that changing at all or expanding more?

SPEAKER_01:

That, yeah, that has been expanding a lot. I haven't seen, I've seen it expanding, I think, with commercial payers. They've become more and more uh warmed up to the idea of reimbursing for telehealth services and really considering telehealth not as a specific unique service, but really as a modality for service that mirrors in-person care. So a lot of commercial payers have been have been really opening up. But the one thing to talk about for commercial insurance is is again, it can be state-specific, not because necessarily the commercial insurance plans, but because of the insurance laws in the state. And every state has some type of um of parity law, but there's a lot of different versions of them. And the main, the main um versions, I guess, are coverage parity versus payment parity. And a lot of states have, or the majority of states have coverage parity that say that if you if you, as a commercial healthcare insurance plan, if you cover uh telehealth services, or sorry, if you cover a service that is in person, then you need to cover if it's conducted via telehealth as well. But there's a lot of different variations on that. Some STEM may say, well, unless it's not clinically indicated or there's certain exceptions. So there's a lot of varieties of that, but that essentially is where the state is requiring the plans to cover telehealth services if they were to cover them in person. But where we have um, you know, much more adoption of telehealth is in the states that have payment parity. And payment parity is where the state insurance laws mandate that the that the health plans cover those telehealth services, not just to the same extent that they would cover in-person services, but at the same rate. So they're getting paid the same if it's via telehealth versus if it's in-person. Um, and in those states where where providers are able to get the same reimbursement if they're doing it, if they're doing care remotely, in those states, we've seen really seen a lot more um expansion of telehealth, especially on the commercial side.

SPEAKER_03:

Um, what are the sort of challenges that providers face um in navigating the differences between re and reimbursement between Medicare, Medicaid, and commercial payers?

SPEAKER_01:

That that in and of itself, I think, is the challenge, right? Because you've got a lot of different payers. You've got Medicare, which is going back and forth, are these extensions going to happen or not? We don't know. Um we expect that they will, but but it's still a big open question. So we've got Medicare on one side, we've got Medicare Advantage that has their own unique rules, uses a lot of the same billing and coding and documentation requirements as traditional Medicare, but Medicare Advantage may have its own rules and its own supplemental benefits. Then we have commercial payers that are kind of kind of can do their do their own thing, and those may look different state to state depending on those coverage laws. And then we have Medicaid programs that again are all different. So I think that's really the challenge for a lot of providers is figuring out when and how you can provide telehealth and tailoring that or putting together policies to make sure that they're doing it appropriately, depending on who the patient's payer is. So that that that's part of the challenge for providers that are that are operating in all four realms, you know, Medicare, MA, Medicaid, as well as commercial insurance.

SPEAKER_03:

Right. That actually seems to happen much more on the telehealth network side than it does, you know, for any payers, any more traditional providers because they tend to be more local.

SPEAKER_01:

Exactly. Exactly.

SPEAKER_03:

Let's um switch our focus a little bit from reimbursement to other other issues with uh telehealth these days. Let's move on to privacy and security, which are always a hot topic in this area. Um and I want to talk a little bit about uh what what laws actually apply to telehealth providers.

SPEAKER_02:

Thanks, Jen, and thanks for having me on. So what laws apply to telehealth with respect to privacy and security? The answer is plenty and seemingly more by the day. Um so I'll kind of divide it up into federal and state at the federal level. You of course have HIPAA as kind of the 800-pound gorilla in medical privacy law. Um, but while I think people assume that if you're a healthcare provider, you're governed by HIPAA. Um, that's not necessarily the case due to the strange history of HIPAA. It actually only applies to healthcare providers who electronically transact with certain administrative transactions with health plans, which is certainly most healthcare providers. But um, you know, you may have a dentist, you may have a psychiatrist who is kind of out of pocket payments only. And in telehealth, we see a lot of those. We see a lot of telehealth providers who are, you know, do not accept insurance. It's just, you know,$50 per session or whatever. Um and so while consumers may readily assume that their telehealth conversations are subject to HIPAA, that may not actually be the case. Um and if anything, I think we're seeing more and more of this with things like um telehealth providers that are focused on prescribing GLP one drugs or things like that. You know, I think we continue to see growth in the non-HIPAA covered telehealth provider territory. Um next up at the federal level is section five of the FTC Act, which section five simply states more or less that um for-profit entities may not conduct deceptive or unfair trade practices. Um doesn't mention privacy, doesn't mention security, but in practice, the FTC has taken that language and said, well, if you have a privacy policy and you're not following it. If you maintain poor security, those are potentially deceptive and or unfair trade practices. And so Section 5 has really become the general umbrella, not specific to healthcare, but in general in the US of privacy and security law. So, you know, the FTC has become uh essentially the primary general enforcer of privacy and security in the US. And um telehealth, to the extent that a telehealth provider is a for-profit entity, would be subject to Section 5. And um, we have certainly seen the FTC bring enforcement actions um in healthcare. And in 2024, in fact, we saw two different enforcement actions with respect to um telehealth providers in particular related to their websites disclosing information like uh disclosing to Third party online tracking platforms that Adam Green or you know IP address X, you know, has a subscription to our telehealth service or something like that. Um, so you know don't underestimate section five. And then um we also have 42 CFR Part 2, um, which is a federal law that governs the confidentiality of substance use disorder patient records. Um, doesn't cover all substance use disorder records, it only covers ones that start that are created by certain federally assisted programs that generally speaking hold themselves out as providing substance use disorder services. But a telehealth provider could certainly qualify as such if it, for example, participates in Medicare or has registration to dispense controlled substances, you know, those would make it federally assisted. And if it's potentially holding itself out as providing substance use disorder services, um including, you know, as part of more general mental health services, that could bring in 42 CFR Part 2, which has been around at this point for over 50 years. Um, we've actually never seen an enforcement action, to my knowledge, um, in those 50 years. But February of this year, we have new changes to 42 CFR Part 2 going into effect, including HHS being able to apply HIPAA penalties. And so kind of the enforcement risk, I think, is going up significantly for part two. So if you're a telehealth provider and you're involved in substance use disorder services at all, worth taking a close look at whether part two may apply to you. So that's just the federal level. Then you've got the state level. So we have good old-fashioned state medical privacy laws. So, you know, examples of these would be things like the California Confidentiality Medical Information Act or the Texas Medical Records Privacy Act. So I would say, you know, maybe half the states have general medical privacy laws. And these are oftentimes forgotten in the analysis, but can be more stringent than HIPAA. And so if you're a telehealth provider and you're operating in one state, you definitely want to know that state's medical privacy law. If you're a telehealth provider and you're operating nationally, you want to know a hell a whole lot of um state medical privacy laws and you know what may apply where. Um, so you've got those. You also have state, what I'd call sensitive condition laws. So these date back to things like HIV test results may have special protections and require specific authorization. Uh, genetic information may have special protections. Um more recently, though, um, the you know, we've been seeing the past three or four years after the Dobbs decision, um, reproductive health care, gender-affirming care, there may be special protections attached to those. So if you're a telehealth provider and you potentially have any of information about any of these sensitive conditions, then additional authorization requirements, for example, might apply. Or even we're starting to see restrictions on being able to disclose information out of one state into another, as there's kind of a battle between states of those who permit, for example, abortion and want to protect that information versus those who ban it and potentially, you know, want to take uh you know, want to take action with respect to when their residents travel to other states. So on top of that, you also have state telehealth-specific laws that may uh come into play. So a few states will have laws on privacy or security specific to telehealth. And then finally, we have this growing number of state consumer privacy laws, like the California Consumer Privacy Act, and all of those exempt PHI that's subject to HIPAA. But going back to the start of this conversation, if you are a telehealth provider who's not subject to HIPAA, you have to look at whether you could be subject to one of those state laws. And that's the laws that are in effect today. There's certainly been talk of federal legislation that could potentially close the gaps when entities are outside of HIPAA. And we continue to see either changes to the recently enacted state consumer privacy laws or more state consumer privacy laws. So, yes, as Sean mentioned, this was being recorded January 15th, might be out of date by January 20th. We'll see, as this is a constantly evolving area.

SPEAKER_01:

There's one other one other thing that I want to throw out, and Adam, you bring up a good point by by addressing the consumer protection and consumer privacy laws, is I often get this isn't a telehealth-specific law, but I also often get questions from telehealth providers about the TCPA, Telephone Consumer Protection Act. Um, and I'm not necessarily a TCPA lawyer. I can answer some of those questions and some I refer out, but a lot of telehealth providers also are maintaining active relationships with their patients, their consumers, or even with potential consumers by engaging in outreach campaigns with text messages or automated phone calls or things like that. So we do get a lot of questions on TCPA compliance from telehealth providers as well. So I just wanted to throw that out there.

SPEAKER_02:

Good point. And you know, there's a Supreme Court decision that kind of limited the application of TCPA, kind of clarifying what qualifies as automatic telephone dialing systems. But not all plaintiff's firms have necessarily gotten the memo on that. And so it still continues to be a hot area. And then, you know, same sort of federal state divide, even if you're not subject to federal TCPA, we're seeing a growing number of what are sometimes referred to as mini TCPA laws in the states that sometimes have broader reach than the federal TCPA. So, yes, if you're texting, if you're doing any autodialing, mostly texting in this case, you know, those laws are definitely good ones to take a close look at.

SPEAKER_03:

You know, it's interesting because I think in the olden days, which is probably, I don't know, 10 years ago or um or or maybe more recently than that, even before some all of these state laws uh started springing up on uh privacy and and uh consumer protection, you know, I think people took the position that especially direct-to-consumer telehealth providers who were not subject to HIPAA, they would say, okay, great, you know, I'll just be subject to state law, and HIPAA was the 2,000-pound gorilla that they didn't want to have to comply with. Um, but now, because it's there are so many and they're so varied, and frankly, some are more stringent, um, but many have an exception for HIPAA covered entities. We're seeing a lot of um uh clients or telehealth providers who you know historically would have taken the position or would have would like to, if they could pick and choose, say that they were not um covered entities. But now they're asking, can we can we choose to be a covered entity even if we aren't? Because we'd rather, you know, for have HIPAA apply to us and potentially um preempt some of these, some of these state laws at least, than um you know have to be subject to all of these other um potentially moving targets. So it's an interesting, interesting place that we're in right now.

SPEAKER_02:

Yeah, that's a really good point. I would say Washington's My Health, My Data Act, and then the Nevada equivalent, um, that one arguably the most uh the most stringent privacy law um in the country, at least in certain respects. Um New York almost took that crown recently, but um with its own New York HIPAA spelled differently, just to confuse things further. But that did that got vetoed by the governor. But yeah, I had this similar experience where Ebon was doing everything they could to, you know, stay out of HIPAA coverage. But then when they realized how limiting My Health, My Data Act was, um, which does have an exception for PHI governed by HIPAA, suddenly they reconsidered that and said, you know, maybe HIPAA is not so bad after all.

SPEAKER_03:

Well, I'm not sure that you can just opt, you know, that is a question that we keep having. Um, you know, can you opt into HIPAA even if you're not really a covered entity? You know, um, and that's I'm not sure anybody really knows the answer. I think the federal government might consider you, you know, enforce HIPAA against you if you choose to call yourself a covered entity. But I'm not sure that that necessarily gets you out of the state law issues.

SPEAKER_02:

Yeah, but all it takes is one. So in the sense that's um one claim, right? Yeah, I I think you know arguably by definition, you're not subject to HIPAA if you're a healthcare provider that doesn't do any electronic transactions with health plans, but hey, submit one healthcare claim to a health plan and congratulations, you're a covered entity, not just with respect to that transaction, but that's right. Yeah, and no one's figured out when that ends, frankly.

SPEAKER_03:

Yep, we'll see all sorts of people just doing that for for one. Um are there some um HIPAA or other privacy issues that you see that are specific to telehealth and not just to healthcare providers in general?

SPEAKER_02:

So one I see a lot of is kind of the interplay of corporate practice of medicine and HIPAA's organizational structures. So, you know, I think what I oftentimes see with telehealth providers is a you know one or more professional corporations. Um, and then the the the true telehealth provider is actually kind of a management company that's doing all the administrative decisions, but you know, pursuant of the corporate practice of medicine, then of the clinical decisions. And so the way that can oftentimes play out is the PCs, the professional corporations, those are the covered entities, versus the telehealth provider, which oftentimes the lawyer's you know client, um, is actually not the covered entity, but is actually a business associate, maybe even both, you know, depending on the circumstances. Maybe they're able to practice in some states, but elsewhere they can't. And so they act as the business associate to separate professional corporations. And so, you know, there you want to kind of, you know, you don't want to be thinking about it from the standpoint of, oh, we've got you know 10 different professional corporations, which are 10 completely independent covered entities. So one thing that makes sense under HIPAA is oftentimes to establish them as what's referred to as an affiliated covered entity, or an ACE for short, um, where essentially covered entities who have common ownership, which would generally not be the case here, or a common control with a very, very loose definition under HIPAA of what qualifies as common control can designate as an affiliate covered entity as an ace and be treated more or less as one covered entity. And so if you're kind of a, I'd call it a telehealth ecosystem with kind of the platform provider, you know, platform slash management company and the PCs, um, you don't want to be thinking about these as, you know, okay, I've got professional corporation A's medical records, which are completely have to be kept separate from professional corporation B's medical records. So there's a lot of value to designate as an ace, which the practical result is you get to treat all of the healthcare providers as if they're essentially a single covered entity. But then you also have to remember to have that business associate agreement in place. Um it's counterintuitive because the business associate, the management company, uh, you know, they they may be essentially in charge. Um, but from the standpoint of HIPAA, they're lower on the ladder. They're the business associate to the professional corporations, to the covered entities. Um, and so sometimes it gets forgotten that you know the one calling the shots needs to have a business associate agreement where they're you know technically kind of beholden to those professional corporations as the covered entities. Um that would definitely be one set of unique issues, I think, you know, not truly unique, but something that I see popping up in telehealth a lot more than elsewhere. Um, and so you know, make sure you have all your, you know, all that requires the appropriate documentation. So your ACE designation, your business associate agreement, that sort of thing.

SPEAKER_01:

And and I see a lot of providers that overlook that, frankly, is even even you know, large national healthcare providers that that don't quite grasp that yes, we actually are a bunch of separate legal entities, including multiple professional corporations. And in many cases, you have to have multiple professional corporations because there are some states like like California and New Jersey and a few other states, depending on the profession, where you have to have a domestic professional corporation in order to provide services in that state. So you've got these national companies with multiple PCs or PLLCs. Um, and and really the solution for that is just like you said, uh Adam, is doing an ACE designation. And then what I've also seen is sometimes maybe it's a belt and suspenders approach, but also doing an OCA, an organized healthcare arrangement, which is very similar to an ACE, but it's it's slightly different, but it still allows multiple covered entities to be able to share PHI. Um, and then just like you said, you really want to treat the entire enterprise, even if it's composed of PCs and a management company. You kind of want to they want to treat the business as a single business. So having that ACE designation or even an ACE and an OCA designation allows you to develop sort of a single set of HIPAA policies, privacy policies, and security policies that can apply to the entire business instead of really having distinct separate HIPAA compliance programs for every single legal entity.

SPEAKER_03:

Yeah, we've had a lot of a lot of discussion around that um as well. Sort of how to how to simplify, and you know, you're right that it's often true that it's the platform that is engaging counsel or that considers itself the business. But of course, that's not how the money flows either because of corporate practice of medicine. So it becomes a big, you know, sort of making sure everything is documented appropriately, and because of corporate practice of medicine, sort of who's doing what for who, um, that that's uh clearly um described um in documents is important as well.

SPEAKER_02:

Yeah. And then after you've done all that, make sure you don't have HIPAA blinders on because um, unless a state specifically says if it's fine under HIPAA, it's fine under our state law. There, I don't think you'll find a single state medical privacy law that makes reference to an affiliated covered entity or an oak or anything like that. So all those things are kind of essential for HIPAA, but may have no bearing whatsoever at the state law level. So you have to make sure that you're still complying with state law.

SPEAKER_03:

Can be complicated for sure. Let's talk a little bit about security. Um, are there uh specific things that you would recommend or specific requirements that you can think of that are specific to telehealth? Obviously, sort of security and privacy go hand in hand.

SPEAKER_02:

Yeah. So, you know, first of course, there's the security rule in general. And so roughly 50 uh different standards and implementation specifications, and you know, uh every healthcare provider has challenges meeting you know the security rule, you know, day in, day out. So, you know, don't you know don't ignore the the generic stuff um to start off with. Um and this year we may see the first significant changes to the security rule really since it was enacted, other than the 2013 change to extend it to business associates. And so, you know, if you're a telehealth provider compliant with the security rule today, you may not be compliant by the end of 2026, um, you know, based on those changes. Um but then more specific to telehealth, you know, one is making sure you have a secure, compliant telehealth platform. So we saw, for example, when telehealth first started under COVID, um, OCR you know did a notice of enforcement discretion essentially stating we're not going to enforce if you don't comply with certain safeguards with respect to your choice of telehealth platforms, for example. So if it wasn't signing a business associate agreement, that was not necessarily fatal. That's long gone. That's years behind us. So you know, make sure that you're not using, you know, kind of generic consumer grade video conferencing, but rather you have an appropriate corporate grade, you know, secure solution in which the vendor, if they're going to have any access to protected health information, is signed a business associate agreement. So that's one area. Another one, you know, don't be stupid. Um a little bit of common sense goes a long way. Um, so you you would think you wouldn't have to say it, but you know, don't take telehealth calls if you're the provider on a crowded subway, um, or even like, you know, in a in your home in a place where family members can hear everything you're saying. So, you know, no matter where you're working, you have to treat that as a secure healthcare provider location. Um, even though, yes, it is easier than ever to do telehealth anywhere, you know, to pick up that call while, you know, at the boarding gate at the airport or something like that. But, you know, be cognizant that you you are subject to the security rule wherever you are taking that call, essentially. Um, and then finally, um, you know, this is not specific to telehealth providers, but as I mentioned earlier, we've seen a few enforcement actions in this area. Um, as a telehealth provider, you likely have a website and rely on it heavily. Um, understand what information is flowing from your website, you know, pixels, you know, over to Google Analytics or whatever. Um, and that all that is compliant with HIPAA and compliant with your privacy policies, because you know, we have seen, you know, in 2024 under the last administration, um, the FTC looked at telehealth providers and others at their website practices. We don't know whether under the new current administration um the FTC is gonna continue with that focus. But um, you know, if even if the FTC doesn't, there are plenty of class action attorneys who are happy to look at your website for you. And if they see information flowing, happy to bring litigation and hope for a quick, nice settlement. Um, so don't forget about those website disclosures.

SPEAKER_03:

I'm gonna put a plug-in for doing um security risk assessments as well. We've certainly seen some enforcement um on clients' behalf. And you know, if you ever are investigated by OCR, the first thing that they're gonna ask you for is your security risk assessment. And if you can't provide one, um, they're gonna find that you know they just consider that a best practice or just not even a best practice, a required practice for entities in the healthcare industry. And so if you don't have one, you're likely to pay some fines and see some compliance enforcement.

SPEAKER_02:

Yep, absolutely. There's about, you know, as I mentioned earlier, like 50 standards and implementation specifications, but not all of them are created equal. And that risk analysis implementation specification, OCR, the Office for. civil rights at HHS considers it foundational to your entire security rule compliance program. And if you look at you know the minority of cases that have gone to financial settlement or civil monetary penalties, those that don't relate to private privacy right of access, you know, I would say the number two issue tends to be on the security rule side, lack of a risk analysis. And through multiple administrations, they've had risk analysis listed as their number one priority in enforcement. So absolutely, you know, and as a telehealth provider, your risks are going to be entirely different than the risks facing a brick and mortar healthcare provider. And so your risk analysis should reflect those unique set of risks.

SPEAKER_03:

We've uh we've talked a little bit about some other compliance risks already just in this conversation like corporate practice of medicine, things that you have to think about as a telehealth provider. Are there other things that we should um mention here that that you guys would like to discuss? There's one one thing that we've um I know we've all talked about before was Medicare enrollment for a multi-state provider. Do you guys want to weigh in a little bit on that? The issue you know tends to be that number one, telehealth providers operate in multiple states and Medicare still requires enrollment on a state by state basis. And then also the Medicare regulations for enrollment the requirements for enrollment require you know sort of practice location information and operational information and oftentimes there is no physical brick and mortar location for a telehealth provider. What do you guys do or recommend in those situations?

SPEAKER_01:

You know it's it's really a challenge for for healthcare providers that are operating telehealth practices that are providing services in almost every state um especially because they may not have a brick and mortar location and they certainly if they're telehealth only provider they certainly are not seeing patients in those locations. But CMS doesn't necessarily require that you have locations that people that patients can come in and actually be treated. These locations just have to be operational and and they don't have to be operational 24-7 or anything like that. But what they really expect is that you've got an address a physical address in each state that the that that address at that location is operational, whether it be an office location or even a home location for a physician if they're providing services out of their home and that and that really the the information that you provide about that location that it's accurate. So that's kind of the key things but the problem is there's you know Medicare surveyors this is rare but they certainly can show up and and do a survey and if they show up and do a survey they're going to be looking for a lot of other things they're going to be looking for signage and they're going to be looking for staff and they're going to be looking for you know posted office hours and stuff like that. So that can be a challenge for for telehealth providers but my advice typically is to try to get an address in each state. If that needs to be the personal address of a physician and then that can work. There's been a flexibility over again it was related to COVID for providers to be able to not necessarily have to enroll their home locations but even if they didn't enroll their home locations then they still had to have a practice location or a primary practice location still in that state that they were reporting the services from. So best practice is still going to be to have a practice location with an address in every state even if you're not providing services out of it every day and even if you can't see patients in person in that location. But you need to get an address. And then and then if if you do need to use a provider's home address there is now a an ability to mask that if you report it as an administrative only site or a telehealth site then then that the address itself for privacy reasons I believe is masked from things like the NPI database or the provider enrollment record. So that's not available to the public um but it still certainly is a challenge to to deal with those with those rules that are really designed around traditional in-person brick and mortar locations.

SPEAKER_03:

Yeah we had exactly that situation recently um where an investigator went to the you know cited physical location which was some we work space or you know that that um and that didn't didn't cut it um and we've seen the same thing happen when it's a PO box you know like that that doesn't work either.

SPEAKER_01:

Yeah they want it they want a physical location I've had some some luck using a we work space or a regis space or those those types of temporary you know rented office locations but you still have to make sure that it's an operational space and sometimes you have to you have to provide an explanation to the Medicare surveyor. Yep with that I think um we're kind of getting to the end of our time so um do you guys have anything else you want to discuss before we sign off I don't I don't think nothing necessarily I think we've covered a lot of interesting issues you know there's a lot of compliance issues and that come along with telehealth just you know the ones we've spoken about reimbursement privacy and security corporate practice of medicine is always a challenge. And then I guess the other one thing that that can be difficult but certainly you can deal with is establishing provider relationships remotely. If you don't already have a relationship with that patient, the provider does not then each state has different standards or criteria for what you can do to create to establish that patient relationship remotely via telehealth. So make sure if you're operating in a state or a number of different states that you're aware of or advising clients that they are aware that there may be different standards for establishing that relationship in different states. But otherwise this has been a great discussion I think we've covered a lot of topics and hopefully it's been helpful to everybody.

SPEAKER_03:

Thanks you guys so much for participating.

SPEAKER_01:

Thank you.

SPEAKER_00:

Take care thanks Jen thank you if you enjoyed this episode be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcast. For more information about AHLA and the educational resources available to the health law community visit americanhealthlaw.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's health law daily podcast exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast apps go to americanhealthlaw.org slash daily podcast