HIPAA AND FEES FOR MEDICAL RECORDS – Updated OCR guidance sets limits.

Physicians and other HIPAA covered entity providers are familiar with HIPAA’s rule on fees that may be charged when individuals request copies of their medical records. The federal Office of Civil Rights (OCR), the enforcement agency for the HIPAA Privacy Rule, recently released updated guidance directives on when fees may be imposed and limitations on costs that may be included in assessing such fees. Medical practices, especially those with separate HIPAA and non-HIPAA medical record fee schedules, may be surprised at what the OCR is now saying.

Continue Reading HIPAA and Fees For Medical Records

Apple Watch at Brick Gentry P.C.
Apple Watch at Brick Gentry P.C.

Apple Watch, HIPAA, and Mobile Healthcare Industry.

When one of our more tech savvy partners recently showed us his new Apple Watch, it instinctively raised questions as to how would HIPAA regulate its use. One possible answer is that the features of this new Apple Watch may be the linchpin to a whole new culture in the mobile health industry.

Continue Reading Peeling Back the Apple Watch

Iowa Behavioral Health Association Hosts Jeanine Freeman & Paul Drey

HIPAA presentations for IBHA by Paul Drey, Jeanine Freeman
Paul Drey, Jeanine Freeman present HIPAA education to Iowa Behavioral Health Association.

 

On July 23rd the Iowa Behavioral Health Association (IBHA), Iowa’s statewide association of substance use disorder agencies, addiction treatment programs and community mental health centers, hosted prominent health care attorneys Paul Drey and Jeanine Freeman of the Brick Gentry Law Firm to provide training on the Health Insurance Portability and Accountability Act (HIPAA).

This educational session centered around HIPAA requirements and regulations, new updates to the law, and its intersection with 42 CFR, the regulation governing substance use related health information.

Ms. Freeman and Mr. Drey answered questions from the audience, presented information and resources on compliance and best practices, and offered valuable insights from their own experiences. Participants clarified issues through lively discussion. Attendees left the session feeling confident and empowered in their understanding of HIPAA and its implementation and enforcement in their own organizations.


Upon generously contributing this photograph and information, Kelsey Clark, Interim Executive Director of the Iowa Behavioral Health Association, added, “IBHA very much appreciates Mr. Drey and Ms. Freeman providing this session and looks forward to future endeavors with these top notch legal experts.”

If your association or practice group could benefit from a customized presentation on healthcare law topics, we invite you to contact Paul Drey to discuss your needs and scheduling.  We appreciate the efforts of the healthcare community and stand ready to assist.

The Iowa Board of Medicine (IBM), at its April 3, 2015 meeting, approved a final rule setting forth disciplinary standards applicable to physicians who use telemedicine in diagnosing and treating patients located in Iowa.

That rule also includes standards and prohibitions that all physician licensees must comply with in providing patient care whether by telemedicine or not. The adopted Rule will be published in the April 29 Iowa Administrative Bulletin and then reviewed by the legislature’s Administrative Rules Review Committee at a time yet to be set. The rule is slated to go into effect on June 3, 2015.

The IBM, in the final rule, made several changes to its proposed telemedicine practice rule.  Those changes reflect the IBM’s responses to public comments on its originally noticed proposed rule and its next draft.  Changes, for the most part, bring clarity to the rules and their expectations.

The final rule primarily addresses requirements for physicians who use telemedicine. Those requirements are substantial. Failure to satisfy any of these requirements subject the physician using telemedicine to IBM discipline. Failure to comply with the rules also might be claimed by plaintiffs alleging medical negligence in the delivery of telemedical care.

It is critical that physicians using telemedicine understand the IBM’s substantial expectations of them. The fact that a hospital or other telemedicine site ordinarily is operationally responsible for certain of the IBM’s proposed requirements (i.e., equipment compliance with safety codes, HIPAA privacy and security compliance), standing alone, does not relieve the telemedicine physician from assuring compliance with such requirements as set forth in the IBM’s telemedicine rule. The final rule made changes to reflect this concern, yet physicians continue to face discipline for non-compliance on each of the final rule requirements.

The following is a summary of the IBM’s final rule. Click here to read the final rule.

The IBM defines telemedicine by clarifying what telemedicine means and includes as well what it does not include for purposes of this rule.

  • Telemedicine means the practice of medicine using electronic audio-visual communications and information technologies or other means, including interactive audio with asynchronous store and forward transmission, between a physician licensee in one location and a patient in another location with our without an intervening health care provider. Telemedicine includes store-and-forward technologies, remote monitoring, and real-time interactive services, including tele-radiology and tele-pathology.
  • Telemedicine does not include the provision of medical services only through an audio-only telephone, email messages, facsimile transmissions, mail service, or any combination thereof.

For physicians using telemedicine, the rule makes it clear that –

  • Physicians using telemedicine will be held to the same standards of care and professional ethics as physicians using traditional in-person encounters with patients.
  • Physicians using telemedicine must do so within the physician’s scope of practice and the physician’s education, training, experience, ability, and licensure/certification.
  • Physicians using telemedicine in the diagnosis and treatment of a person located in Iowa must have an active Iowa medical license consistent with federal and state law (unless an exception to licensure already provided in the IBM’s licensure rules applies) regardless of the in-state or out-of-state site from which the physician provides those telemedicine services.
  • Physicians using telemedicine must utilize evidence-based telemedicine practice guidelines and standards of practice to the degree they are available.

Physicians using telemedicine must establish a valid physician-patient relationship with the person who receives telemedicine services. For purposes of this rule —

  • The physician-patient relationship begins when 1) a person with a health-related matter seeks assistance from a physician; 2) the physician agrees to undertake diagnosis and treatment of that person; and 3) the person agrees to be treated by the physician even if there has not yet been an in-person encounter between the physician and that person.
  • A valid physician-patient relationship may be established in one of three ways: 1) an in-person encounter with an in-person medical interview and physical exam where standards of care would require an in-person encounter; 2) consultation with another physician or other health care provider who has an established relationship with the patient and who agrees to participate in or supervise the patient’s care; or 3) a telemedicine encounter if standards of care do not require an in-person encounter and consistent with evidence-based telemedicine practice guidelines.
  • An “in-person encounter” is defined to mean the physician and the patient are in the physical presence of each other and in the same physical location during the physician-patient encounter.

Further, physicians using telemedicine must –

  • Ensure that systems are in place to ensure that non-physician health care providers whom the physician relies upon or delegates to in the provision of a telemedical service are qualified and trained to provide such service within the non-physician’s scope of licensed practice; further, the physician must be available either in-person or electronically to consult with non-physician health care providers, particularly in the event of an injury or an emergency in the course of telemedicine service delivery.
  • Verify the identity of the patient receiving the telemedicine services and ensure the patient can verify the identity, licensure status, certification and credentials of all health care providers involved in providing the telemedical service prior to the provision of that care.
  • Ensure the patient is interviewed to collect the patient’s relevant medical history, receives a physical examination when medically necessary, sufficient for diagnosis and treatment prior to providing treatment via telemedicine, including issuing a prescription electronically or otherwise. The medical interview and physical examination need not be in-person if the telemedical encounter is sufficient to establish an informed diagnosis as though the medical interview and physical exam had been performed in-person.  A static Internet questionnaire alone cannot suffice for the medical interview and physical exam prior to treatment, including issuing a prescription either electronically or otherwise.  “Static” is defined in the rule.
  • Ensure that patient informed consent is provided, including consent for the use of telemedicine, and that such consent is timely documented in the patient’s medical record.
  • Identify and provide the patient’s medical record to the patient’s treating physician and/or medical home, when available and medically appropriate, where in-person medical services can be delivered in coordination with the telemedicine services the patient receives.
  • Have access to or adequate knowledge of local medical resources for appropriate follow-up care.
  • Refer a patient receiving telemedical services to an acute care facility or emergency department in the event of an emergency or for the safety of the patient.
  • Ensure complete, accurate, and timely medical records, as appropriate, including notation of when telemedicine is used and other matters set forth in the rule, and, further, ensure that the patient and other health care providers have timely access to such information and that the patient, upon request, receives a timely summary of each telemedical encounter.
  • Ensure that all telemedicine encounters comply with HIPAA privacy and security measures.  Written protocol must be established and periodically reviewed, addressing measures specified by the IBM in its proposed rule to assure the confidentiality and integrity of patient-identifiable information.
  • Equipment and technology used in the telemedical encounter must comply with safety laws and codes and are of sufficient quality/size/resolution/clarity to safely and effectively provide the telemedicine service.
  • Ensure that information is disclosed to the patient re: the type of services to be provided via telemedicine; contact information, identity and credentials of all health care providers involved in the provision of the telemedical service; limitations, if any, on drugs and services as provided via telemedicine; fees/costs sharing if different than in an in-person encounter; financial interests, if any; limitations on the use of the telemedicine technology; and other information as detailed in the proposed rule.
  • Ensure the patient’s ability to amend their patient information, to provide feedback on the quality of the telemedical encounter, and to register complaints.

For all physicians, whether in the course of using telemedicine or otherwise, the final rule –

  • Sets forth several circumstances under which standards of medical care may not require a physician licensee to personally examine a patient. Circumstances include where the physician prescribes medications on a short-term basis for a new patient and has scheduled or is in the process of scheduling an appointment to personal examine the patient; call or cross-coverage situations in which a physician licensee is taking call or is covering for the other physician licensee who has an established physician-patient relationship with the patient; situations in which the patient has been examined in person by an advanced registered nurse practitioner or physician assistant or other licensed practitioner with whom the physician licensee has a supervisory or collaborative relationship; and other circumstances set forth in the rule.
  • Prohibits physician licensees from prescribing based solely on an Internet request or an Internet questionnaire. An internet questionnaire is defined to mean a static questionnaire provided to a patient to which the patient responds with a static set of answers, in contrast to an adaptive, interactive and responsive online interview.
  • Prohibits physician licensees from prescribing based solely on a telephonic evaluation for any person absent a valid physician-patient relationship.

See our page dedicated to Telemedicine for all related articles.

UPDATE: Subsequent to this post the IBM has adopted the Telemedicine Rule. See our page dedicated to Telemedicine for all related articles, including our most current post.

The Iowa Board of Medicine Amends Its Proposed Telemedicine Rule – Final Adoption Slated for the IBM’s April 3 Pubic Meeting

The Iowa Board of Medicine (IBM) has made several changes to its proposed disciplinary rule for physicians using telemedicine in Iowa. Those changes reflect the IBM’s responses to public comments on its originally noticed proposed rule. The IBM will accept comments on its amendments but no public hearing or comment period has been scheduled nor is the IBM required to do so.  The IBM expects to adopt a final telemedicine practice rule at its April 3, 2015, public meeting. The rule’s effective date, once adopted, will be set in the final rule.

While there are provisions in this proposed rule that apply to all physicians, for the most part the rule as amended remains focused on standards of practice for physicians who use telemedicine. The requirements of the rule are substantial. Failure to satisfy any of these requirements subject the physician using telemedicine to IBM discipline. Failure to comply with the rules also might be claimed by plaintiffs alleging medical negligence in the delivery of telemedical care.

It is critical that physicians using telemedicine in diagnosing or treating a patient located in Iowa understand the IBM’s substantial expectations of them. The fact that a hospital or other telemedicine site ordinarily is operationally responsible for certain of the IBM’s proposed requirements (i.e., equipment compliance with safety codes, emergency protocols, HIPAA privacy and security compliance), standing alone, does not relieve the telemedicine physician from assuring compliance with such requirements as set forth in the IBM’s telemedicine rule.

The following summary addresses the IBM’s proposed telemedicine disciplinary rule as now amended. Click here to read the amended proposed rule. The IBM has invited feedback on the draft amendments so further changes are possible prior to the IBM’s April 3 vote on adoption of the rule.

The IBM’s definition of telemedicine was amended to clarify what telemedicine means and includes as well as to affirm what it does not include for purposes of this rule.

• Telemedicine means the practice of medicine using electronic audio-visual communications and information technologies or other means, including interactive audio with asynchronous store and forward transmission, between a physician licensee in one location and a patient in another location with our without an intervening health care provider. Telemedicine includes store-and-forward technologies, remote monitoring, and real-time interactive services, including tele-radiology and tele-pathology.

• Telemedicine does not include the provision of medical services only through an audio-only telephone, email messages, facsimile transmissions, mail service, or any combination thereof.

For physicians using telemedicine, the proposed rule makes it clear that –

• Physicians using telemedicine will be held to the same standards of care and professional ethics as physicians using traditional in-person encounters with patients.

• Physicians using telemedicine must do so within the physician’s scope of practice and the physician’s education, training, experience, ability, and licensure/certification.

• Physicians using telemedicine in the diagnosis and treatment of a person located in Iowa must have an active Iowa medical license consistent with federal and state law (unless an exception to licensure already provided in the IBM’s licensure rules applies) regardless of the in-state or out-of-state site from which the physician provides those telemedicine services.

• Physicians using telemedicine must utilize evidence-based telemedicine practice guidelines and standards of practice to the degree they are available.

For physicians using telemedicine, the amended proposed rule requires a valid-physician patient relationship with the person who receives telemedicine services. For purposes of this rule —

• The physician-patient relationship begins when 1) a person with a health-related matter seeks assistance from a physician; 2) the physician agrees to undertake diagnosis and treatment of that person; and 3) the person agrees to be treated by the physician even if there has not yet been an in-person encounter between the physician and that person.

• A valid physician-patient relationship is established in one of three ways: 1) an in-person encounter with an in-person medical interview and physical exam where standards of care would require an in-person encounter; 2) consultation with another physician or other health care provider who has an established relationship with the patient and who agrees to participate in or supervise the patient’s care; or 3) a telemedicine encounter if standards of care do not require an in-person encounter and consistent with evidence-based telemedicine practice guidelines.

• An in-person encounter means the physician and the patient are in the physical presence of each other and in the same physical location during the physician-patient encounter.

Further, physicians using telemedicine must –

• Ensure that systems are in place to ensure that non-physician health care providers whom the physician relies upon or delegates to in the provision of a telemedical service are qualified and trained to provide such service within the non-physician’s scope of licensed practice; further, the physician must be available electronically to consult with non-physician health care providers, particularly in the event of an injury or an emergency in the course of telemedicine service delivery.

• Verify the identity of the patient receiving the telemedicine services and ensure the patient can verify the identity, licensure status, certification and credentials of all health care providers involved in providing the telemedical service prior to the provision of that care.

• Ensure the patient is interviewed to collect the patient’s relevant medical history receives a physical examination, when medically necessary, sufficient for diagnosis and treatment prior to providing treatment via telemedicine, including issuing a prescription electronically or otherwise. The medical interview and physical examination need not be in-person if the telemedical encounter is sufficient to establish an informed diagnosis on par with an in-person medical interview and physical exam. An Internet questionnaire alone cannot suffice for the medical interview and physical exam prior to treatment, including issuing a prescription either electronically or otherwise.

• Ensure that patient informed consent is provided, including consent for the use of telemedicine, and that such consent is timely documented in the patient’s medical record.

• Identify and provide the patient’s medical record to the patient’s treating physician and/or medical home, when available and medically appropriate, where in-person medical services can be delivered in coordination with the telemedicine services the patient receives.

• Have access to or adequate knowledge of local medical resources for appropriate follow-up care.

• Establish written protocols for referral of a patient receiving telemedical services to an acute care facility or emergency department in the event of an emergency or for the safety of the patient.

• Ensure complete, accurate, and timely medical records, as appropriate, including notation of when telemedicine is used and other matters set forth in the rule, and, further, ensure that the patient and other health care providers have timely access to such information and that the patient, upon request, receives a timely summary of each telemedical encounter.

• Ensure that all telemedicine encounters comply with HIPAA privacy and security measures and, further, establish written protocols, which shall be periodically reviewed, addressing measures specified by the IBM in its proposed rule to assure the confidentiality and integrity of patient-identifiable information.

• Ensure that the equipment and technology used in the telemedical encounter comply with safety laws and codes and are of sufficient quality/size/resolution/clarity to safely and effectively provide the telemedicine service.

• Disclose clearly to the patient the type of services to be provided via telemedicine; contact information, identity and credentials of all health care providers involved in the provision of the telemedical service; limitations, if any, on drugs and services as provided via telemedicine; fees/costs sharing if different than in an in-person encounter; financial interests, if any; limitations on the use of the telemedicine technology; and other information as detailed in the proposed rule.

• Ensure the patient’s ability to amend their patient information, to provide feedback on the quality of the telemedical encounter, and to register complaints.

For all physicians, whether in the course of using telemedicine or otherwise, the proposed rule, as amended –

• Sets forth several circumstances under which standards of medical care may not require a physician licensee to personally examine a patient. Circumstances include where the physician prescribes medications on a short-term basis for a new patient and has scheduled or is in the process of scheduling an appointment to personal examine the patient; call or cross-coverage situations in which a physician licensee designated by the patient or other physician licensee is taking call or is covering for the other physician licensee who has an established physician-patient relationship with the patient; situations in which the patient has been examined in person by an advanced registered nurse practitioner or physician assistant or other licensed practitioner with whom the physician licensee has a supervisory or collaborative relationship; and other circumstances set forth in the rule.

• Prohibits physician licensees from prescribing based solely on an Internet request or an Internet questionnaire. An internet questionnaire is defined to mean a static questionnaire provided to a patient to which the patient responds with a static set of answers, in contrast to an adaptive, interactive and responsive online interview.

• Prohibits physician licensees from prescribing based solely on a telephonic evaluation for any person absent a valid physician-patient relationship.

Physician Practices Must Remain Vigilant in Responding to Subpoenas for Mental Health Information

Review of In the Interest of A.M. v. Thomas, Iowa Supreme Court, November 21, 2014

Summary. In a case it calls one of first impression, the Iowa Supreme Court upheld a subpoena to compel the testimony of a psychotherapist regarding the mental health condition of her patient, the mother of three children, in a Child in Need of Assistance (CINA) adjudicatory custody hearing. The therapist had objected to giving testimony, citing the patient/mental health professional privilege of Iowa Code section 622.10; the prohibitions against disclosure of mental health information of Iowa Code chapter 228; and the federal HIPAA Privacy Rule. The Supreme Court concluded, however, that the specific statutory language of Iowa Code section 232.96(5), stating that the privilege protections for mental health communications shall not be grounds for excluding evidence in a CINA adjudicatory hearing, prevailed.

Background and Analysis – Why the Court landed where it did. This case involved a mother who had temporarily lost custody of her three minor children due to mental health issues and improper supervision. After receiving therapy, the juvenile court returned custody of the children to the mother under supervision of the Department of Human Services. Prior to a subsequent review hearing, however, the guardian ad litem (GAL) appointed by the juvenile court to represent the children’s interests received reports of concern regarding the mother’s behavior and demeanor. As a result, the GAL subpoenaed the mother’s psychotherapist to testify at the review hearing and to produce her therapy notes. The psychotherapist objected and moved to quash the subpoena, citing privilege and confidentiality under Iowa Code chapter 228, prohibiting disclosures of mental health information; Iowa Code 622.10, the patient-health professionals evidentiary privilege statute; and the federal HIPAA Privacy Rule. In response, the GAL argued that Iowa Code section 232.96(5), authorizing admission of otherwise privileged mental health communications in CINA proceedings, supported the subpoena.

The juvenile court upheld the therapist’s motion to quash the subpoena’s request for disclosure of psychotherapy notes; that ruling was not appealed and, as such, not addressed by the Supreme Court.  However, the juvenile court denied the therapist’s motion to quash the subpoena’s request for testimony on the mother’s mental health condition; the therapist appealed this ruling. The Iowa Supreme Court agreed with the juvenile court, ruling that the narrowly-drawn statutory language of section 232.96(5) supported the subpoena and testimony by the psychotherapist.

Section 232.96(5), found in Iowa’s Juvenile Justice Code, specifically directs that the privilege attaching to confidential communications between a patient and a health practitioner or mental health professional shall not be grounds for excluding evidence in a hearing on a petition alleging a child to be in need of assistance. The Court said it is clear from the language of this statute that the legislature intended to create a statutory exception to the patient-psychotherapist privilege of Iowa Code section 622.10. The policy behind the limited statutory exception of 232.96(5) in CINA custody matters makes sense; here, the therapist’s testimony regarding the mother’s mental health and treatment goals is highly relevant to the best interests of the children.

The Court then turned to Iowa Code chapter 228 and its prohibitions against disclosure of mental health information. Section 228.2 directs that mental health information shall not be disclosed, “except as specifically authorized.” Here, section 232.96(5) grants such authorization. Too, section 228.6(1) allows disclosure of mental health information to meet the disclosure requirements of other state or federal laws relating to the protection of human health and safety. Section 232.96(5) grants specific authority for disclosure of mental health communications in CINA adjudicatory proceedings to protect the health and safety of the children. Also, the Court said, under rules of statutory construction, section 232.96(5), a more specific statute, prevails over the general non-disclosure prohibitions of chapter 228.

The Court then looked to the HIPAA Privacy Rule and its prohibitions against disclosure of protected health information and concluded that Iowa’s laws prohibiting release of mental health information are more stringent than HIPAA’s disclosure prohibitions. When state law provides greater privacy protection, HIPAA says that state law prevails. Since the Court had concluded that Iowa’s laws on confidentiality and privilege gave way to the specific authority of Iowa Code section 232.96(5), HIPAA would not compel a different conclusion. After further analysis of the Privacy Rule’s exception for disclosures in judicial and administrative proceedings, the Court concluded that HIPAA does not supersede Iowa Code section 232.96(5) allowing evidence of otherwise privileged mental health communications in CINA proceedings.

The Supreme Court’s ruling in this case principally focused on the interplay between the section 232.96(5) exception allowing admission of otherwise privileged communications in CINA hearings and the privilege and non-disclosure provisions of section 622.10 and chapter 228. The Court, however, went on to say that its statutory conclusions also made policy sense.

The confidentiality interests advanced by section 622.10 and chapter 228 are important to effective mental health treatment, including for parents whose mental health struggles impeded their parenting abilities. “The American Psychiatric Association has recognized that confidentiality is essential to effective treatment, a view that has been confirmed by numerous empirical studies.” At the same time, “the protection of children is one of the most well-established duties and public policies of the State of Iowa.” Juvenile courts are duty bound to intervene and, if necessary, remove a child from the care and custody of parents. Here, the Court said, the Iowa General Assembly prioritized these competing policy interests in favor of access to evidence in CINA proceedings. “It is not our role to second-guess the policy choices of the elected branches.”

The Court also noted that even though section 232.96(5) abrogates the statutory psychotherapist privilege for purposes of CINA adjudicatory hearings, juvenile court records are automatically kept confidential without the need to obtain a protective order. While juvenile court proceedings are generally open to the public, the juvenile court may close a hearing upon motion of either party.

In its analysis of the interplay between the CINA statute permitting disclosure and Iowa statutes on privilege and confidentiality, the Court offered several instructive points, serving as reminders of already established law and legal principles in our state.

  • Iowa has no common law physician-patient privilege; the privilege is strictly statutory.
  • A privilege created by the legislature can be limited by the legislature.
  • While statutes creating privileges are liberally construed, the evidentiary privileges of section 622.10 are narrowly construed because they impede the full and free discovery of the truth.
  • Whether viewed broadly or narrowly, the language and plain meaning of section 232.96(5) is dispositive; courts are not free to rewrite statutes under the guise of liberal construction.
  • Here, the legislature, itself, has specifically directed that chapter 232 shall be liberally construed to best serve the child’s welfare.

Vigilance in responding to subpoenas for mental health information remains important. Physicians and medical clinics receiving subpoenas for release of mental health information must remain vigilant in their review of the subpoena, the communications and records being requested by that subpoena, and the context in which the subpoena has been issued. Again, this Supreme Court ruling is narrowly focused. Differences in facts and circumstances compel different results. The Iowa Supreme Court in no way intended to diminish the vitally important privilege and confidentiality protections of either section 622.10 or chapter 228.

Iowa’s physician practices know full well that mental health information is particularly sensitive. Risks of liability and/or negative treatment outcomes for inappropriate disclosure of mental health information are high. Physician practices are well advised to continue to seek legal counsel before responding to subpoenas for release of mental health information. Medical practices cannot ignore a subpoena but they also must assure that any release of mental health information is clearly supported in fact and law.

The October 24, 2014 posting (last in this series) addresses practical considerations for physicians using telemedicine, in meeting several of the proposed rule’s requirements as well as the proposed rule’s specific requirements re: financial interests, links to internet sites, prohibited relationships with preferred pharmacies, and prohibited internet transactions for prescribing controlled substances.

Requirements (standards) for physicians – practical considerations.

Proposed rule 653-13.11(10) – Informed consent

Proposed rule 653-13.11(11) – Coordination of care

Proposed rule 653-13.11(12) – Follow-up care

Proposed rule 653-13.11(14) – Medical records

Summary. Physicians using telemedicine must (1) obtain and document the patient’s informed consent including consent for the use of telemedicine; (2) identify the patient’s medical home and/or treating physician and provide them a copy of the medical record; (3) be knowledgeable of local resources for providing follow-up care and ensure the patient has access to appropriate follow-up care following a telemedicine encounter; and (4) ensure a complete, accurate, and timely medical record for the patient when appropriate and, further, ensure the patient and/or the physician designated by the patient has timely access to all information obtained during the telemedicine encounter, including timely providing the patient with a summary of each telemedicine encounter upon request.

Considerations. These matters are appropriate activities for physicians in managing a patient’s care. As regulatory standards, however, it is important to determine if and how the specific requirements of these provisions can be satisfied by the physician using telemedicine. AMA policy H-480-946 on “Coverage and Payment for Telemedicine” addresses each of these components as appropriate to telemedicine delivery without ascribing specific responsibility for them to the physician using telemedicine. Can a physician meet the obligations of these rules through protocol adopted by, for instance, a hospital offering telemedicine services? It is important to confirm that actual practices now in place would – or would not – satisfy these proposed standards before the Iowa Board of Medicine (IBM) adopts them. The physician using telemedicine will be held accountable for meeting each requirement.

Financial interests – links to internet sites – relationships with preferred pharmacies prohibited.

Proposed rule 653-13.11(19)

Summary. Advertising or promotion of goods or products from which a physician licensee receives direct remuneration, benefits, or incentives (other than fees for medical services) is prohibited.

A physician licensee should not benefit from internet links they provide to patients for purposes of general health information; when providing links, physicians should be aware of implied endorsements offered from such sites.

Physicians may not have preferred relationships with any pharmacy. Physician licensees shall not transmit prescriptions to a specific pharmacy or recommend a pharmacy in exchange for any type of consideration or benefit from the pharmacy.

Considerations. These prohibitions, filed by the IBM as part of its proposed telemedicine, are generally applicable to all physician licensees and are not addressed to “physicians who use telemedicine.” These prohibitions are taken directly from the Federation of State Medical Board’s “Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine,” adopted by the FSMB in April 2014. These policies, to become disciplinary rules if adopted by the IBM, are matters that stand on their own. The IBM might consider filing separate notice of rulemaking on these specific provisions to assure fair notice of and full discussion on their impact upon all licensees, not only licensees using telemedicine.

Prescribing controlled substances – prohibited internet transactions.

Proposed rule 653-13.11(21)

Summary. Prescribing controlled substances to a patient based solely on an internet request, internet questionnaire, or a telephonic evaluation is prohibited.

Considerations. All physician licensees are subject to this proposed regulatory prohibition. Too, specific issues directed to online medical services merit focused discussion of their own. This provision should be separately noticed by the IBM to allow fair notice and opportunity for comment. Internet-based diagnostic and treatment services for low-risk medical conditions are now being promoted and seemingly well received in other states.

This prohibition addresses only prescribing controlled substances. Is it permissible, then, to prescribe non-controlled medications based solely on an internet request, internet questionnaire, or telephonic evaluation? How does this provision relate to proposed rule 13.11(8) which generally states that an internet questionnaire alone does not constitute an acceptable medical interview and physical exam for providing treatment, including issuing prescriptions, electronically or otherwise?

This prohibition on physician licensees very well may be appropriate. However, a proposed rule prohibiting this practice may be better evaluated on its own merits and not within the context of this already detailed rulemaking applicable to physicians using telemedicine.

This article is the final posting in this series on the Iowa Board of Medicine’s proposed standards of medical practice for physicians using telemedicine. We hope our comments foster discussion and, as may be appropriate, alternative approaches for these proposed physician disciplinary standards.

Telemedicine offers tremendous potential for increased access by Iowans to a wide range of highly skilled medical care as well as a dynamic environment for enhanced care communication and medical education. Many entities share responsibility for safe, competent, high quality telemedicine delivery. All parties, regardless of their positions on the proposed rules, want telemedicine to work well in Iowa.

We acknowledge the critical role the IBM plays in helping to assure competent and safe telemedicine delivery of medical care. At the same time, physicians subject to regulatory disciplinary standards must know what is required of them; must be reasonably capable of meeting regulatory expectations; and must not be inappropriately impeded by complex or confusing regulatory directives in pursuing this legitimate form of patient care delivery. The IBM’s rule proposal provides an excellent forum for understanding, discussion and debate in this evolving arena of health care delivery.

See our page dedicated to Telemedicine for all related articles, including our most current post.

The October 23, 2014 post addresses the proposed rule’s requirement for disclosures and functionality of telemedicine services and other provisions of the proposed rule that may be less the responsibility of physicians who use telemedicine and more the responsibilities of entities that purchase, offer and maintain telemedicine equipment and services.

Disclosures and functionality of telemedicine services.

Proposed rule 653-13.11(17)

Summary. The physician using telemedicine must clearly disclose to the patient the types of services to be provided; contact information for the physician; identity, licensure, board-certification, credentials, and qualifications of all health care providers providing the telemedicine service; limitations on drugs and services that can be provided via telemedicine; fees and cost sharing responsibilities; financial interests; appropriate uses and limitations of the technologies; uses and response times for emails, electronic messages, and other communications transmitted via telemedicine; to whom patient information may be disclosed and for what purposes; rights of patients with respect to patient information; and information collected and passive tracking mechanisms utilized.

Considerations. The disclosure responsibilities set forth in this proposed provision are many. The language of this provision is taken by the Iowa Board of Medicine (“IBM”) directly from the Federation of State Medical Board’s recently adopted “Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine.” The IBM, however, goes one step further by proposing this policy statement as a disciplinary requirement for physicians using telemedicine.

The disclosure requirements may be appropriate for and within the capabilities of an entity offering telemedicine services. To impose this obligation upon the individual physician using telemedicine goes too far. This model policy language might more appropriately be part of a similarly adopted model policy of the IBM and/or others to guide telemedicine delivery in Iowa. This disclosure provision as currently drafted, however, is not a medical standard nor is it an appropriate matter for physician discipline.

Requirements (standards) for physicians – facility or physician responsibility?

Proposed rule 653-13.11(13) – Emergency Services

Proposed rule 653-13.11(15) – Privacy and Security

Proposed rule 653-13.11(18) – Patient Access and Feedback

Proposed rule 653-13.11(16) – Technology and equipment

Summary. The physician using telemedicine must: (1) establish written protocol for referral of a patient to an acute care facility or emergency department when necessary for the safety of the patient in case of an emergency; (2) ensure that all telemedicine encounters comply with HIPAA’s privacy and security measures and establish written protocols addressing matters such as health care personnel authorized to process messages, types of transactions to be transmitted electronically, quality oversight mechanisms, and archival and retrieval, which protocol must be evaluated periodically; (3) ensure the patient has access to mechanisms for accessing, supplementing, or amending patient-provided personal health information, giving feedback on the quality of the telemedicine services provided, and registering complaints, including how to file complaints with the IBM; and (4) ensure that technology and equipment used for telemedicine service delivery comply with relevant safety laws and technical safety codes, are of sufficient quality, size, resolution, and clarity needed to provide the medical services, and are compliant with HIPAA.

Considerations. Telemedicine service delivery generally involves physicians, hospitals and others, each of whom have roles and responsibilities for safe and effective telemedicine care. Many of the requirements imposed by these specific provisions  as “standards of practice” for physicians more appropriately are expectations for hospitals or other entities that purchase, maintain, and offer telemedicine services. It seems neither reasonable nor appropriate to place such regulatory expectations, subject to discipline for non-compliance, upon the individual telemedicine physician.

To illustrate, AMA policy H-480.946 on telemedicine says that “physicians, health professionals, and entities that deliver telemedicine services” must establish protocols for referrals and emergency services. The Federation of State Medical Boards addresses these issues within its “Model Policies for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine,” (adopted in April 2014). The FSMB policy on referrals for emergency services says that an emergency plan is required; it does not say the physician is singularly responsible for its development. The physician, however, must be prepared to implement that plan if a referral to an acute care facility or ER is necessary. By way of contrast, the IBM’s proposed rule on emergency services requires the physician who uses telemedicine to establish written protocol for referral of the patient to an acute care facility or emergency department.

Language in a disciplinary rule is important. These specific provisions call for further examination and drafting consideration before adoption. As noted above, these matters of telemedicine delivery of care might be better addressed as model policies or principles for telemedicine delivery in our State particularly in the absence of specific legislative directions from the Iowa General Assembly on telemedicine regulation. The IBM should not attempt to regulate all matters of telemedicine delivery through imposed disciplinary standards on physicians.

The October 24, 2014 posting (last in this series) addresses practical implications for physicians in meeting several of the proposed rule’s requirements  as well as the proposed rule’s specific requirements re: financial interests, links to internet sites, prohibited relationships with preferred pharmacies, and  prohibited internet transactions for prescribing controlled substances.

See our page dedicated to Telemedicine for all related articles, including our most current post.

Courts across the country have routinely decided that HIPAA does not create or authorize a private right of action.  [See Doe v. Board of Trs. of Univ. of Ill., 429 F. Supp.2d 930, 944 (N.D. Ill. 2006); Slue v. New York Univ. Med. Ctr., 409 F. Supp.2d 349, 373 (S.D.N.Y. 2006); See about 8th Cir. Case.]  HIPAA contains a pre-emption provision titled “Effect on State Law,” which states in part, that it “shall supersede any contrary provision of State Law,” but also an exception that HIPAA shall not supersede a conflicting State Law provision if the provision of State Law, “…subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.”  42 U.S.C. §132od-7 (1996).  Recently, the Supreme Court of Appeals of West Virginia dealt with a claim brought by an individual against St. Mary’s Medical Center, Inc., claiming “negligence, outrageous conduct; intentional infliction of emotional distress, negligent infliction of emotional distress, negligent entrustment, breach of confidentiality, invasion of privacy, and punitive damages.” R.K. v. St. Mary’s Med. Ctr., Inc. – – – S.E.2d – – – -, 2012 WL 5834577 (W.Va.:  Nov. 15, 2012).  The Plaintiff did not assert a claim under HIPAA.  The Supreme Court of Appeals of W. Va., overruling the lower court, found that R.K.’s state law claims for the wrongful disclosure of his medical and personal health information are not pre-empted by HIPAA…” (Id.) [See Health Law Express Express@hortyspringer.com (November 29, 2012)].  The case was remanded.

The outcome of this case and its application raises the issue of whether private actions of individuals for medical records privacy breaches can be successful.  As electronic health records and medical records conversion continues, any health entity involved with healthcare records should pay special attention to this case and the line of cases like it.  In my opinion, this result has the potential to limit the HIPAA pre-emption and to open the holders of healthcare records to new causes of action.   This result opens a large potential legal issue for holders of healthcare records.  You should watch the outcome of this case and make sure that, if you are a holder of healthcare records, you fully understand the ramifications of this case.