Telehealth compliance considerations: looking ahead

Telehealth seems to be here to stay, even as the Coronavirus pandemic begins to recede in the United States. It’s a good time for healthcare institutions to make sure their telehealth practices hold up outside of emergency circumstances. 

From a compliance perspective, that means  patient privacy and technology, valid consent for treatment, visits with minors, and interstate care.    


Patient privacy in telehealth

Patient privacy is just as important in telehealth as it is for in-person visits. This includes ensuring the provider conducts visits in a private space and documenting the visit in a secure medical record.   

During the Coronavirus national public health emergency, the federal government has some enforcement discretion with telehealth. Regulators can choose not to impose penalties for Health Insurance Portability and Accountability Act (HIPAA) violations if they see that a provider took precautions to protect patient privacy provider. Good faith might mean using a platform like Microsoft Teams, Zoom, or WebEx and patient-specific passcodes – and still having a privacy breach. In a case like this, the regulator has the discretion not to impose fines under HIPAA. 


Consents and visits with minors 

Developing a process to obtain consent to treat before the first visit can help you comply with consent requirements. This may include mailing or securely emailing the consent to the patient (or parent or legal guardian) the week before the telehealth visit and having the patient send it back.  This gives the provider time to answer the patient’s questions about consent for treatment.   

For urgent telehealth visit, make sure there are policies in place to address telephone/verbal consent or to obtain two provider consents.  If your system allows, you may be able to electronically send the consent. The patient can sign it online so you can add it to the electronic health record.  

Whatever method to obtain consent your organization chooses, ensure there is a policy addressing the proper procedure and educate the team on the policy.   

For telehealth visits with minors, try to follow the same process as for in-person visits. That means you should obtain the consent to treat and have it signed by a parent or legal guardian.  Then have the parent or legal guardian attends the telehealth visit with the minor patient.  This way diagnosis, care, and treatment plan can be discussed with the patient and the parent or legal guardian at the same time.  


Crossing state lines for telehealth

Things to consider if the patient and provider are not conducting the telehealth visit in the same state: 

  • Licensing: Some state licensing boards have reciprocity. Some may not require an additional license in compact states while others may require a temporary or actual license to provide care in that state. This often applies to care provided via telehealth. 
  • Prescriptions: Can you prescribe across state lines? Avoid compliance issues by sending the prescription to a pharmacy in the provider’s “home” state. Then have the patient request a pharmacy-to-pharmacy transfer of the prescription. 
  • Your insurance: Does your medical professional liability (MPL) insurance provide coverage if you are out of state? How about if the patient is located outside your “home” state? Contact your MPL insurer to be certain you have coverage in the event of an out of state lawsuit. 
  • The patient’s insurance: What will the patient’s insurance cover for visits conducted out of the patient’s “home” state?  Be sure to verify this before the patient’s telehealth visit to ensure proper billing and reimbursement for the visit and to decrease billing denials.   

Considerations for adding telehealth as a service line 

There are resources available for organizations considering adding telehealth as a permanent service line. YouCompli can help you understand which regulations apply to you, stay on top of changes, and manage implementation.  

You can also find many free resources online:  

For many types of visits, patients love the option of telehealth. As providers work to be sure that they continue to deliver quality care, Compliance teams have an equally big job to be sure the systems and processes are in place to support that experience. 

Keep on top of regulations affecting telehealth and making sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more. 

Denise Atwood, RN, JD, CPHRM is the Chief Risk Officer at District Medical Group (DMG), Inc., vice president of DMG Insurance Company (DMGIC), and owner Denise Atwood, PLLC.   

Disclaimer: The opinions expressed in this blog are the author’s and do not represent the opinions of DMG. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

AHA and CMS to Keep Regulatory Flexibilities in Place

COVID-19 continues to create obstacles and challenges for healthcare compliance professionals. Thriving in this environment means being agile and adaptive.

The AHA’s Requests

Last week, the American Hospital Association (AHA) asked the Centers for Medicare & Medicaid Services (CMS) to keep relaxed regulations in place. Specifically, the AHA is interested in keeping flexibility around telehealth, quality and compliance measures, and bed capacity.

The telehealth changes are ones that have been on the horizon for some time. Essentially, the AHA is asking CMS to continue to allow hospitals to provide a wide range of telehealth services, without limitations as to profession or geographic location. The AHA is also asking for flexibility on billing and payments related to telehealth to be made permanent.
More interestingly, the AHA has also asked that CMS extend regulatory relief related to some quality and patient safety regulations. These include expanding the use of verbal orders, and extending the reuse of PPE.

The AHA has also asked that CMS provide hospitals with a transition period, to allow them to more easily move from pandemic response to ordinary practice. This includes a request for temporary waivers for sanctions and penalties related to HIPAA , and flexibility on audit requirements. And, it includes a request that certain rules and requirements be delayed or suspended.

The Response From CMS

Three days after the AHA released this letter, Michael Caputo, Assistant Secretary for Public Affairs at the Department of Health and Human Services (HHS), tweeted this :

The public health emergency is currently set to expire on July 25. However, as of this writing, HHS hasn’t officially announced how long the extension will be

This means that we don’t yet know what will happen when the emergency finally does end. Will HHS give a transition period, as the AHA has requested? Will HHS continue to allow flexibility about telehealth, which they have previously indicated they would?

Staying up to date on this fluid situation is going to be a key task for compliance in the coming weeks.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Worker Fatigue and the Potential Negative Impact on Compliance

When workers get fatigued, what is the impact on compliance?

We all know that, during a normal workday, workers can get fatigued. Fatigue can come from a variety of sources, including personal and professional challenges or stressors. Mental fatigue specifically occurs when there is a need to process overwhelming amounts of new data or information.

The impact and stressors of working during a pandemic can make this worse. Mental fatigue is exacerbated because there is so much new information to cull through on a daily (sometimes more frequent) basis. Combine this information overload with rapidly changing pandemic recommendations and guidelines, and it’s no wonder that workers are becoming more fatigued.

Effects of Fatigue

Memory and performance both decline when a person is mentally fatigued, which can lead to non-compliant behaviors and actions. This happens because fatigue decreases the ability to make new, short-term memories. Lack of short-term memories prevents the formation of long-term memory knowledge. And a person simply cannot recall information which has not been transferred to long-term memory. In this way, fatigue decreases the ability to recall information – whether recently learned or already known.

For example, if the organization has not previously billed for telehealth visits, a fatigued coder may not remember the education that was provided regarding telehealth documentation requirements or the codes applied to these visits. Moreover, the coder may have difficulty recalling in-person visit codes or coding modifiers. When these effects of fatigue happen, coding compliance will decrease.

Mental and physical fatigue can affect worker performance in other ways. Think about the last time you did not get a good night’s sleep. At work the next day, all you can think about is drinking more coffee or taking a nap or going to bed early that night.

Signs of this kind of fatigue include decreased awareness or a general decrease in interest with respect to work or job tasks. Other signs of fatigue include changes in judgment or decision-making. Take, for example, an employee who is usually very engaged on the job, but unexpectedly shows up late for a scheduled meeting. During the meeting, the employee is unusually quiet and provides limited feedback. If that employee’s knowledge and feedback are necessary to make a critical compliance-related decision there would be not only a negative effect on compliance, but potentially a negative effect on the entire organization.

Compliance Fatigue

There is also a form of specific compliance fatigue – where people are overwhelmed and wearied by the numerous adherence requirements in healthcare policies and procedures and rules and regulations. This combines with mental fatigue, which inhibits the ability to remember and follow these policies and procedures, which is the cornerstone of good compliance.

Employees may know and understand policies and procedures addressing HIPAA. For example, they must use encryption when emailing protected health information (PHI) or personally identifiable information (PII) or payment card information (PCI). Similarly, in the course of their work, they must exercise heightened caution before clicking on links embedded in emails. If they are experiencing fatigue, the possibility of compliance failures increases.

As physical, mental and compliance fatigue increase the potential for job related mistakes, they conversely decrease worker compliance. The overall impact of worker fatigue can have very real and negative impact on compliance ranging from simple mistakes or lapses in judgment to catastrophic errors related to breach of PHI/PII or PCI.

Practice Tips

Encourage supervisors to regularly meet with their staff to evaluate the level of information fatigue or physical fatigue. If possible, conduct education and feedback sessions to help the team talk through fatigue challenges.

Utilize resources, such as youCompli, to assist the team in staying current with healthcare compliance related changes to guidelines, regulations and laws, and managing compliance-related workflows automatically.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.