Abstract1
The coronavirus disease 2019 (COVID-19) public health emergency has amplified both the potential value and the challenges with healthcare providers deploying telehealth solutions. As people across the country find ways to stay at home, telehealth preserves an opportunity to obtain necessary healthcare services. Further, telehealth can help individuals avoid COVID-19 infection, free up hospital beds and other resources for those patients most in need, and prevent infected individuals from spreading that infection. Federal and state regulators have recognized this potential of telehealth and have quickly changed a variety of laws and regulations to enable healthcare providers to deploy solutions quickly. These changes can provide lasting benefits for the use of telehealth well after the current crisis. However, to best realize telehealth’s benefits, further legal and regulatory actions are necessary. Specifically, lawmakers and regulators should focus on six areas: reimbursement, privacy/cybersecurity, liability, licensure, technology access, and artificial intelligence.
Keywords: telehealth, privacy, cybersecurity, COVID, artificial intelligence, telemedicine
The Great Need for Telehealth
Healthcare providers, academics, and technology developers have advocated for increased use of telehealth for decades. As internet and communications technology has advanced, regulators have incrementally made changes to enable the use of telehealth solutions. The unique impacts of the coronavirus disease 2019 (COVID-19) public health emergency have created an unprecedented amount of regulatory changes for telehealth. These changes should help address the current crisis and provide an opportunity for much needed longer-term evolution of US healthcare delivery to improve health outcomes and lower costs. This paper provides an overview of recent regulatory changes that enable telehealth and proposes additional modifications that will be particularly helpful in the battle against COVID-19 and the future development of telehealth services.
Across the USA as we encourage everyone to stay home, telehealth provides an opportunity to reduce the visits to doctors’ offices and hospitals. These reduced visits protect against COVID-19 patients infecting others (particularly healthcare workers) and help protect patients with other medical issues from infection. In addition, telehealth services create the potential to release patients earlier from the hospital and to avoid new hospital visits, which potentially frees up hospital beds and equipment for those patients who most need them.
As we increasingly see outbreaks of infection in post-acute congruent living facilities such as assisted living centers and retirement communities, telehealth can and should be used to protect their elderly and other high-risk residents.2 Another benefit of telemedicine, the need for which has increased during this emergency, is to provide healthcare for communities, which have limited access to needed services. These communities often include rural and underserved urban areas that may have limited internet broadband service and whose residents may have less access to other telehealth technologies such as a smartphone.3 These underserved communities may often need to rely on voice-only telehealth services.
Telehealth is at least as old as the invention of the radio and the telephone.4 Medicare has actually reimbursed for some telehealth services for over 20 years. There have been periods of healthcare providers advancing use of these services, but always followed by a waning period due to the lack of proper incentives and challenges with interoperability.5 Recent advances in broadband internet access, internet of things devices, electronic health records, and advanced data analytics have created a surge in both , the capability, and the cost efficiency of telehealth services. The current public health emergency necessitates a detailed look at the federal and state telehealth regulations to determine what changes will properly incentivize rapid adoption of the technology while also mitigating concerns related to safety, privacy, cybersecurity, and how best to assist underserved communities and people.
Telehealth is a broad set of services that includes telemedicine delivery of clinical care as well as other nonclinical activities, such as provider training, administrative meetings, and continuing medical education.6 The American Telemedicine Association (the ATA) defines the subset of telehealth referred to as telemedicine as ‘a health care provider’s provision of services to a patient using telecommunications technology, where the patient and provider are in different locations’. One particularly important category of telehealth services, which is often treated separately by regulators, is remote patient monitoring (RPM). The ATA defines RPM as ‘including home telehealth, uses devices to remotely collect and send data to a home health agency or a remote diagnostic testing facility (RDTF) for interpretation. Such applications might include a specific vital sign, such as blood glucose or heart ECG, or a variety of indicators for homebound consumers. Such services can be used to supplement the use of visiting nurses’.7
Telehealth services are often divided into three separate categories: synchronous, asynchronous, and RPM.8 Synchronous services allow for direct engagement between a healthcare provider and the patient using phone, video, or data transmission such as texting. Asynchronous services allow patients and healthcare providers to store information and forward it to the other party with an expectation that they will hear back at some point in the future. The delivery of photos for examination is particularly effective in asynchronous services. RPM allows for a mix of both synchronous and asynchronous communication to allow healthcare providers to evaluate a patient’s progress over time. The Department of Health and Human Services (HHS) conducted a study that demonstrated that healthcare providers across many specialties were using these services even before the current crisis.9
Telehealth, and especially RPM, has the potential to increase the number of healthcare providers by recruiting retired doctors and nurses who may have valid reasons not to want to work face to face with a patient (a compromised immune system or an injury that prevents the physical work that a hospital often requires), but who would like to put their skills and experience to use. In addition, the data that telehealth implementations create can be of tremendous value to public health agencies and health researchers.
Federal and state governments have recently removed many telehealth implementation barriers for the duration of the current emergency. The Food and Drug Administration (FDA), the Office of Civil Rights (OCR) at the Department of Health and Human Services, the Centers for Medicare and Medicaid Services (CMS) at the HHS, the Substance Abuse and Mental Health Services Administration (SAMHSA) at the HHS, the Drug Enforcement Administration at the Department of Justice, and state health and human services agencies all have done remarkable work to enable telehealth. This crisis can provide the USA with an opportunity to assess the role telehealth can play in our healthcare system and what regulations are necessary to increase its use and value while also protecting patients from risks created by the remote delivery of services. To assist with the US learning what we can during the emergency, the following provides a summary of some of the recent regulatory changes and recommendations for additional actions:
Barriers, Recent Activity to Remove Them, and Proposals for Additional Action
This paper focuses on six categories of public policy barriers to the implementation of telehealth: reimbursement, privacy/cybersecurity, liability, licensure, technology access, and artificial intelligence (AI).
Reimbursement
One of the most impactful barriers to the implementation of telehealth solutions has been whether the amount allowed for payment is enough to create an economic incentive for doctors (especially given the current demands on doctors’ and their staff’s time), and for system integrators and device manufacturers to develop the technology. CMS has made great progress in recent months in providing for greater reimbursement for Medicare patients by making a number of changes that apply for the duration of the current emergency.10
These changes allow healthcare providers to now bill for the following telehealth services:
initial and subsequent observation and observation discharge day management;
audio-only telephone services for certain services;
initial hospital care and hospital discharge day management;
initial nursing facility visits, all levels (low, moderate, and high complexity) and nursing facility discharge day management;
critical care services;
domiciliary, rest home, or custodial care services, new and established patients;
home visits, new and established patient, all levels;
inpatient neonatal and pediatric critical care, initial and subsequent;
initial and continuing intensive care services;
care planning for patients with cognitive impairment;
psychological and neuropsychological testing;
therapy services, physical and occupational therapy, all levels;
radiation treatment management services;
licensed clinical social worker services, clinical psychologist services, physical therapy services, occupational therapist services, and speech-language pathology services can be paid for as Medicare telehealth services
Taken together, these reimbursement changes allow for provider compensation for a broad set of telehealth services potentially at lower cost than in-person care. The experience in other countries supports the conclusion that reimbursement changes can significantly increase the potential of healthcare providers investing in the tools, processes, and training necessary to effectively provide services during the current crisis. For example, when France changed its reimbursement policies, they originally expected 1.2 million virtual care consultations for 2020, but recent data suggest they may see in excess of 5 million visits by the end of the year.11
CMS will also now provide for reimbursement for RPM services for acute conditions as well as chronic, and that expansion will extend beyond the public health emergency.12 This change can enable remote monitoring of those exhibiting symptoms of COVID-19 and has potential to allow for earlier release from the hospital for patients freeing up beds for those who have more serious needs.
Healthcare providers can now perform RPM services when the caregiver is not located in the same physical location as the doctor. This change allows for new business models employing nurses and other healthcare providers who may have concerns or challenges with working in the doctor’s office. Other significant CMS changes include permitting RPM services for new as well as existing patients, and that RPM providers will only need to obtain patient consent once per year.13
Reimbursement Proposals
Although CMS has made many changes to Medicare reimbursement to encourage the use of telehealth during the public health emergency, there are further changes that can be made, especially in the area of RPM. Even with the recent changes, there are still low limits to the amount of time allowed for RPM and the amount allowed to be billed. These limits will discourage providers from offering services that could greatly assist patients, reduce risk during the crisis, and over time lower healthcare costs.14
Recent CMS changes only allow for two 20-minute RPM sessions to be billed per month at a national average of $54. To effectively allow for RPM management of COVID-19 symptoms (particularly pulse oximeter readings), CMS should allow for a greater amount of monthly time and an increased billing rate. Also, currently, only a primary care physician or a specialist is allowed to bill for RPM in any particular month. Coverage should be expanded to allow for the primary care physician and multiple specialists to each bill as they may be monitoring different illnesses, such as diabetes and COVID-19. CMS should also allow for reimbursement for the cost of the devices that need to be used by the patient for RPM.
There are restrictions on RPM services that do not allow certain organizations to bill Medicare. CMS should immediately allow Federally Qualified Health Centers (FQHC), rural health centers, and home health agencies to bill for RPM services. Also, given the current issues of COVID-19 infection in congruent living facilities such as nursing homes and rehabilitation centers, CMS should follow up on the expansion of Medicare coverage for RPM from chronic to acute and further expand it to post-acute care. Billing should be allowed for multiple RPM sessions a day for post-acute care. This change for post-acute RPM services will assist patients to return to their homes earlier and reduce risks to themselves and others. To aid in that goal, CMS should allow for reimbursement for provider telehealth visits with family caregivers. If these changes are collectively made, it will allow families to better care for their loved ones in their homes.
HHS should also explore changes that will assist patients and providers to better use the technology and to navigate the often-difficult billing codes and processes. HHS should provide operational guidance to Medicare Administrative Contractors for claims processing/billing requirements for expanded telehealth services. This should include guidance for Rural Health Clinics and FQHCs. Also, many telehealth services still require video for CMS to provide for reimbursement.15 This video requirement may substantially limit the use of these services by underserved populations who do not have access to a smartphone or broadband internet. CMS should look to expand reimbursement coverage for telehealth audio-only services. Audio-only services will allow individuals who are most comfortable with talking on the phone to have meaningful discussions with their providers and to reduce the need for broadband internet access. This change will be particularly helpful during the current crisis, as it will reduce logistical challenges of sending new devices to patients and educating them on how to use the technology.
The current emergency also should encourage CMS to look at reimbursing for new healthcare services that hospitals are currently struggling to provide. Specifically, Medicare beneficiaries should be able to access respiratory therapy services necessary for their recovery via telehealth and remote monitoring solutions.16 These services should not be limited just to COVID-19 patients.
Privacy/Cybersecurity
Telehealth creates new cybersecurity and privacy risks, as the patient’s home may not have the same protections in place as a provider’s office.17 Telehealth also creates new opportunities for health information sharing that have privacy and security implications. Understanding what further cybersecurity and privacy regulatory changes need to be made requires an overview of the current regulatory environment.
The USA has a long-established regulatory framework for protecting the privacy and cybersecurity of health data. That framework is primarily composed of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HIPAA Privacy Rule, and the HIPAA Security Rule.18 In 2016, Congress passed the 21st Century Cures Act to promote the interoperability of electronic health records and to allow the patient to control the sharing of their personal health information.19 On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published the Cures Act Final Rule, which implements the interoperability provisions of the 21st Century Cures Act to promote patient control over their own health information while protecting privacy and cybersecurity.20 This rule makes many needed changes and has potential to greatly increase patient access to their health records, and HHS now needs to take steps to increase the speed of implementation.
Within HHS, OCR enforces the security and privacy rules. OCR has provided a number of useful clarifications and changes to increase the use of telehealth during the emergency. These following clarifications to encourage greater health information sharing specifically will be important to further the adoption of telehealth services that often require multiple providers, tools, and business associates.21
Interoperability
Although the Cures Act Final Rule was just published on March 9, CMS quickly determined that the deadline for compliance of January 2, 2021, maybe unreasonable given the COVID-19 resource strain. Interoperability presents practical systems development challenges that if addressed poorly can create significant cybersecurity and privacy issues. As a result, CMS and ONC delayed the requirement for compliance with many of the requirements of the Rule.22
Patient Consent
OCR reiterated that HIPAA was intended to allow for the sharing of information without the consent of the patient as necessary to treat the patient or another patient.23 For the current crisis, the sharing of clinical information may be impactful for the treatment of other patients. To mitigate privacy concerns, it is important to educate providers and the public that this form of health information sharing is necessary. The California Consumer Privacy Act has brought considerable attention to the concept that individuals should be able to control their personal data, even while exempting HIPAA covered Protected Health Information (PHI) from its requirements.24 At the same time, many privacy experts argue in the favor of moving away from an exclusive focus on consent to enable the sharing of information that is better for the individual and society.25 As COVID-19 contact tracing efforts bring more attention to privacy,26 it will be important to avoid a public backlash against health information sharing by HHS communicating to the public the importance of the exceptions to consent requirements.
HHS has also gone further to give providers latitude for information sharing during the crisis. On March 15, 2020, HHS made a waiver for up to 72 hours from the time the hospital implements its disaster protocol that covered hospitals would not be sanctioned for failure to comply with five provisions of the HIPAA Privacy Rule: (i) obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care, (ii) honoring a request to opt out of the facility directory, (iii) distributing a notice of privacy practices, (iv) complying with a patient’s request for privacy restrictions, and (v) complying with the patient’s right to request confidential communications.27
Sharing with Public Health Authorities, Law Enforcement, and First Responders
OCR made clear that the HIPAA Privacy Rule allows Covered Entities to share information without patient consent with public health authorities, first responders, and law enforcement,28 at the discretion of public health authorities, a foreign government agency,29 and persons at risk of contracting or spreading a disease or condition.30 These disclosures may only transfer the minimum necessary information to accomplish the purpose.31
Telemedicine Cybersecurity
Physicians have restricted the technology they have used for telehealth to remain compliant the HIPAA Security Rule. OCR’s February of 2020 notification states that Covered Entities and Business Associates need to continue to comply with obligations to properly provide cybersecurity protections for PHI. The notification says: ‘In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information’.32
However, in March 30, 2020, notification OCR stated: ‘During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules. OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately’. This added flexibility is not limited to just COVID-19 patients and should provide physicians the ability to use common technologies like texting to greatly increase their communications with patients.
OCR goes on in the March 30 notice to distinguish between public-facing communications technologies, which are not covered, and those that allow for private communication. They provide a nonexhaustive list of these covered private communication technologies: ‘Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications’. 33 As OCR allows for a greater selection of devices for telehealth, there will be an increased need to educate providers on how to increase their level of cybersecurity. One project that will help with this is the National Institute of Technology and Standards’ (NIST) effort to increase cybersecurity in telehealth. NIST’s National Cybersecurity Center of Excellence is conducting the Securing Telehealth Remote Patient Monitoring Ecosystem project,34 which will use the NIST Cybersecurity Framework35 to apply a risk assessment methodology to develop a specific telehealth NIST Cybersecurity Practice Guide.
Business Associate Information Sharing
Telehealth experts have expressed concern that provisions of HIPAA may restrict entities that fall under the ‘Business Associate’ definition from sharing information with public health authorities, first responders, and law enforcement.36 As many telehealth providers may fall under this definition, there was a need to remove this regulatory concern. On April 2, OCR provided notice that it will exercise its enforcement ‘discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency’.37
Privacy/Cybersecurity Proposals
Allowing broadly used technologies for telehealth is an important way to ramp the use of these services during the emergency. After the US moves beyond the emergency, it will be important to study the privacy and cybersecurity risks of using these general commercial platforms for telehealth. For example, Congress, HHS, and state regulators should fund the study of how health data obtained by the companies providing these platforms may have been commercialized and or transferred to other entities such as data brokers and online advertising providers. Also, Congress should provide increased funding for NIST’s Securing Telehealth Remote Patient Monitoring Ecosystem project and other methods to increase the use of the NIST Cybersecurity Framework by telehealth providers.
The use of new telehealth technologies and services does create the potential for increased privacy and cybersecurity risks, as it expands the footprint for cybersecurity attack to the use of new hardware and software, and outside of the providers information technology network.38 However, some of the existing restrictions that are intended to protect against these risks do not make sense in the current environment. For example, although OCR removed the risk of enforcement for sharing Business Associate information with public health authorities, there are still concerns that the contracts between HIPAA Covered Entities and their Business Associates may restrict the sharing of this information. Congress should put in place a legislative change to make these contract provisions unenforceable, and to create an obligation for sharing with public health authorities and approved researchers. This legislative change should also require the approved researchers to put measures in place to make certain the data is only used for healthcare research and not for data mining or other commercialization of the information.
Given that the ONC Interoperability Rule under the 21st Century Cures Act Final Rule was just published in March it is not surprising that there is still considerable work to be done to realize the interoperability of electronic health records.39 The ONC rule calls for providers and medical device developers to promote patient data access using third-party apps and application programming interfaces (APIs) to share information between providers and among the different electronic health record vendors. Improved sharing of electronic health records has the potential to greatly benefit telehealth, and specifically RPM. OCR should fund a study for how to best incentivize the implementation of the APIs and for how patients can most efficiently decide to share telehealth information with new healthcare providers.
Telehealth also involves the use and sharing of information by entities that will not fall under HIPAA’s scope.40 The processing of that data will then be covered by Section 5 of the US Federal Trade Commission (FTC) Act’s language regulating unfair or deceptive trade practices. State consumer protection and privacy laws may also apply to these uses of data. Many privacy commentators, including me,41 have described this patchwork of FTC and state enforcement as confusing and inadequate.42 To better foster trust in the use of telehealth, Congress should pass a strong comprehensive privacy law that provides the FTC with rule-making authority and substantially increased resources.
Liability
Malpractice liability remains a concern for providers of telehealth services. These concerns include a lack of a clear understanding of how the standard of care applies in telehealth, questions of whether existing malpractice insurance policies cover these services, and which state’s law applies if the patient and the provider are located in different areas of the country.43 There are concerns that telehealth services do not allow for certain medical practices that have been considered standard for treating patients with respiratory issues, such as being able to listen to the lungs with a stethoscope. It is unclear whether telehealth’s inability to allow a healthcare professional to perform these time-tested approaches will impact their potential malpractice liability if there is an incorrect diagnosis.44 Some states are taking action in this area. Hawaii has passed a law requiring malpractice insurance carriers to provide coverage for telehealth services.45 Other states like New York have temporarily created exemptions from malpractice liability except in situations of gross negligence.46 It is unclear whether concerns about when these temporary exemptions will expire will discourage healthcare providers from substantially investing in telehealth infrastructure due to fear of longer-term malpractice liability.47
Liability Proposals
There is continued uncertainty about the extent to which malpractice insurance carriers cover claims arising from telehealth services.48 States should expand their telehealth parity laws to require insurance carriers to include malpractice coverage for telehealth services on par with how they cover face-to-face services and for coverage of services outside the geographic area where the doctor is licensed. Also, given the possibility that telehealth may increase, or at least present new, cybersecurity risks providers also need to understand the extent to which their policies cover cybersecurity and the exemptions to coverage such as attacks by foreign nation-states.49 Congress should fund the development of education materials for doctors to check with their malpractice insurance carriers to make certain the terms of insurance policies will cover all telehealth services they are planning to provide.
Licensure
Many of the healthcare workers who are needed to address the current public health crisis are regulated by state professional licensure requirements that limit work across state lines. These workers include doctors, nurses, nurse practitioners, and nurses’ aides. Telehealth and RPM can best realize their potential to address COVID-19 if they allow for healthcare workers in states that are not experiencing large infection rates to provide services to those states that are currently in crisis. This is especially true in certain practice areas where some states may have limited numbers of specialists.50
There is an existing system that 17 states and the District of Columbia have enacted to deal with emergency needs for healthcare providers. Those states have enacted versions of the Uniform Emergency Volunteer Health Practitioner Act (UEVHPA), which is model legislation developed in 2006 by the Uniform Law Commission.51 When enacted by a state, the system allows for the emergency recognition of out-of-state healthcare licenses.
Along with emergency declarations, there are also longer-term reciprocity frameworks to recognize out-of-state healthcare licenses. An example of this type of framework is the Enhanced Nurse Licensure Compact (eNLC). The eNLC provides for automatic recognition of nursing licenses from over 30 states that participate in the agreement.52
Many states are also amending their licensure requirements in more targeted ways.53 For example, Alaska, Missouri, and Tennessee have implemented reciprocity policies. Also, New Jersey took action to expedite approval for out-of-state-doctors applying for licensure.54 Connecticut is an example of a state that took more specific licensure action to enable telehealth. The state suspended the licensure/certification/registration requirements to allow telehealth services by out-of-state professionals.55
Licensure Proposals
Shortages of healthcare workers in communities with high numbers of COVID-19 patients are a significant concern.56 Additional changes are necessary so that telehealth can allow doctors and nurses in other states to help even out those local shortages. States that have not passed a UEVHPA law should do so quickly. Also, states that are currently not participating should join the eNLC. All states should amend necessary legislation to allow for the provision of telehealth services by individuals physically located outside of the state. HHS should work with state governors to put in place executive orders that allow for the creation of Emergency Management Assistance Compacts (EMACs). EMACs can allow for mutual recognition of doctors between states. More information on EMACs, including a template executive order, is available at https://www.emacweb.org/. All states should explore making permanent reciprocity for out-of-state telehealth professionals.
Technology Access
To realize the benefits of telehealth, providers will need to deploy the technology to communities that currently lack broadband internet access and the use of smartphones. This broad use of the technology will create more diverse data that will over-time produce better telehealth implementations. The focus on increasing use of the technology will also help extend healthcare services to rural areas and undeserved urban communities. Communities that are underserved with healthcare services may also be those that have limited access to reliable broadband internet service and/or the understanding of how to deploy telehealth technology.
Regulators have worked to broaden the list of available technologies to use with telehealth services, including those that can be deployed on smartphones. In addition, HHS has funded the creation of a national network of telehealth resource centers, which focus on training telemedicine providers.57
Technology Access Proposals
Doctors and patients have to figure out how to use new technologies and incorporate the tools into their lives and work. Outreach to doctors and patients to provide assistance on how to implement telehealth technology is necessary, including providing easy to understand education materials. To increase telehealth technology access and further the creation of diverse telehealth data for analysis, regulators should promote telehealth access across the country. HHS should increase the funding for the national network of telehealth resource centers with a specific focus on rural areas and underserved urban areas. These resource centers are important ways to help doctors and other providers understand how to offer telehealth services.
Artificial Intelligence
The broadened set of new telehealth technologies (especially end point RPM technologies like Bluetooth-enabled thermometers and pulse oximeters) will create more data that can be useful to train AI algorithms. Because COVID-19 is so new, there are little data to use to train analytical algorithms and AI solutions to determine how best to spot COVID-19 infection, to determine which patients are at increased risk of acute illness, and to develop a more effective treatment.58
New algorithms deployed in telemedicine require a lengthy FDA premarket assessment process. Although there are many of the current proposals for the use of AI in hospital-based care, there are a number of use cases where the technology can be useful in telehealth.59 Technology providers are pushing AI algorithms to ‘the edge’, meaning that they will run on the end point devices used by patients such as scales, thermometers, and pulse oximeters.60 The FDA’s traditional approach to medical device review was not designed for adaptive AI and machine learning (ML) technologies. Under the FDA’s current approach to software modifications, the FDA anticipates that many AI software updates will need a premarket review. Such a review process would substantially limit the benefits that can come from quickly updating software based on AI learning.
The FDA has recently proposed modifications to this assessment process that have potential to increase the speed of the implementation of software changes created by ML and other AI tools.61 The FDA proposal is based on the following four principles: (i) Establish clear expectations on quality systems and good ML practices, (ii) this proposed regulatory approach would apply to only those AI/ML-based software as a medical device that requires premarket submission and not those that are exempt from requiring premarket review, (iii) expect manufacturers to monitor the AI/ML device and incorporate a risk management approach, and (iv) enable increased transparency to users and the FDA using post-market real-world performance reporting for maintaining continued assurance of safety and effectiveness.62
The FDA is also making changes that will allow AI to be more useful with RPM technologies. In March of 2020, the FDA provided a notification of enforcement policy to provide flexibility in the use of a number of noninvasive RPM technologies. The policy document states: ‘FDA does not intend to object to limited modifications to the indications, claims, functionality, or hardware or software of FDA cleared non-invasive remote monitoring devices that are used to support patient monitoring (hereinafter referred to as “subject devices”) during the declared public health emergency, as described in more detail below, without prior submission of a premarket notification under section 510(k) of the FD&C Act and 21 CFR 807.81.5’.
The FDA policy document included examples of permissible modifications, such as ‘the inclusion of monitoring statements related to patients with COVID-19 or co-existing conditions (such as hypertension or heart failure); for subject devices previously cleared only for use in hospitals or other health care facilities, a change to the indications or claims regarding use in the home setting; and hardware or software changes to allow for increased remote monitoring capability’.63 These allowed modifications pave the way for the FDA to learn more about how these technologies function in practice during the emergency, and what level of review will be necessary once the crisis subsides.
AI Proposals
Once providers are using telehealth solutions more broadly, there will be opportunities to gain value from the data those implementations create. Two policy priorities can then make better use of that data. First, Congress should require electronic health record vendors and healthcare providers to share data with health researchers using federated homomorphic encryption solutions.64 These encryption solutions can allow for important research using telehealth data while still preserving the privacy and cybersecurity of the underlying personal health information.65
HHS should encourage health researchers to use the increased data provided by telehealth services to train AI software that can further improve not only the telehealth services, but also other clinical care, healthcare operations, and research. Also, CMS should create emergency reimbursement codes for the use of narrow AI solutions such as methods to triage patients (either for the first step in a telemedicine appointment with a doctor, or as part of an automated RPM application like a daily set of questions asked by a smartphone application or through a digital assistant with voice recognition like the Amazon Echo or the Apple HomePod).
To help enable this ecosystem of the use of telehealth data to improve AI healthcare algorithms, the FDA should move quickly forward with its proposed new AI assessment process.66 Concurrently, the FDA should create a streamlined assessment pathway for critical AI uses in addressing COVID-19, such as allowing rapid retraining of known cleared AI applications toward other uses and further expansion of them for those new uses. An example of this type of expansion for a new purpose could be the use of algorithms that have been used in radiology to assist a doctor in spotting lung cancer to now also detect COVID-19 respiratory infection. Data from telehealth could provide substantial assistance in augmenting existing training data with an understanding of how patients progress over time.
Conclusion
The FDA, HHS, and state regulators have done tremendous work in a short period of time to remove regulatory barriers and create incentives to enable the use of telehealth, and specifically RPM services, during the COVID-19 public health emergency. There are still actions that need to be taken in the areas of reimbursement, privacy/cybersecurity, liability, licensure, technology access, and AI. As we move past the crisis, regulators should examine how companies are using personal health information that is transmitted using telehealth technologies, and whether additional restrictions on the use of the data are necessary.
Further, this emergency will likely introduce millions of Americans to using telehealth services, providing substantial benefits to patients including, but not limited to, those who live in rural areas with limited access to healthcare. Regulators should make use of the data on the use of these services during this emergency. Collecting data and allowing for its analysis by researchers can assist Congress, HHS, and state regulators to determine which of the regulatory changes to make permanent. This data analysis can also help determine what further changes are necessary to properly incentivize providers to fully utilize these services, technology companies to continue to innovate in this area, and for insurers to adequately reimburse and cover malpractice claims.
Footnotes
Many thanks to Nick Galvez, Bonnie Britton, Nita Farahany, Matt Perault, Christina Silcox, Courtney Van Houtven, Jackie Medecki, Ari Schwartz, John Banghart, Justin Sherman, Micalyn Struble, and Alexander Hoffman for reviewing and providing feedback on this paper.
https://www.cdc.gov/coronavirus/2019-ncov/hcp/long-term-care.html (accessed May 25, 2020).
https://www.fcc.gov/reports-research/reports/broadband-progress-reports/eighth-broadband-progress-report; https://www.pewresearch.org/fact-tank/2019/05/07/digital-divide-persists-even-as-lower-income-americans-make-gains-in-tech-adoption/ (accessed May 25, 2020).
https://blog.evisit.com/history-telemedicine-infographic (accessed May 25, 2020).
https://revcycleintelligence.com/news/medicare-reimbursement-rules-limit-telehealth-adoption (accessed May 25, 2020).
https://www.healthit.gov/faq/what-telehealth-how-telehealth-different-telemedicine (accessed May 25, 2020).
https://www.americantelemed.org/resource/why-telemedicine/ (accessed May 25, 2020).
Michael A. Dowell, Federally Qualified Health Center and Rural Health Center Telemedicine Compliance and Legal Issues, 21 J. Health Care Compliance 5, 6 (2019).
Annette M. Totten et al., Telehealth: Mapping the Evidence for Patient Outcomes from Systematic Reviews, Agency for Healthcare Research and Quality, June 2016, at 22.
https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes (accessed May 25, 2020).
https://hitconsultant.net/2020/05/14/covid-19-global-impact-primary-care-virtual-consultations/#. Xr6w7WhKhPY (accessed May 25, 2020).
https://mhealthintelligence.com/news/cms-affirms-payment-parity-for-telehealth-adds-more-covered-services (accessed May 25, 2020).
https://www.cms.gov/files/document/covid-final-ifc.pdf (accessed May 25, 2020).
https://news.careinnovations.com/blog/how-rpm-helps-achieve-the-triple-aim-of-healthcare (accessed May 25, 2020).
https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet (accessed May 25, 2020).
https://www.latimes.com/california/story/2020-04-07/coronavirus-respiratory-therapists-ventilators-shortage (accessed May 25, 2020).
https://www.nccoe.nist.gov/sites/default/files/library/fact-sheets/hit-th-fact-sheet.pdf (accessed May 25, 2020).
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html (accessed May 25, 2020).
https://www.healthit.gov/curesrule/overview/about-oncs-cures-act-final-rule (accessed May 25, 2020).
https://www.healthit.gov/sites/default/files/cures/2020-03/ONC_Cures_Act_Final_Rule_03092020.pdf (accessed May 25, 2020).
https://www.healthaffairs.org/doi/full/10.1377/hlthaff.2013.0997 (accessed May 25, 2020).
https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index (accessed May 25, 2020).
https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf (accessed May 25, 2020).
https://www.brookings.edu/blog/techtank/2019/04/29/a-federal-privacy-law-could-do-better-than-californias/ (accessed May 25, 2020).
https://www.brookings.edu/research/why-protecting-privacy-is-a-losing-game-today-and-how-to-change-the-game/ (accessed May 25, 2020).
https://www.washingtonpost.com/politics/2020/04/28/contact-tracing-apps-can-help-stop-coronavirus-they-can-hurt-privacy/ (accessed May 25, 2020).
https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf (accessed May 25, 2020).
45 CFR §§ 164.501 45 CFR 164.512(b)(1)(iv), 45 CFR; 164.512(k)(5), 45 CFR 164.512(j)(1) and 164.512(b)(1)(i).
45 CFR 164.512(b)(1)(i).
45 CFR 164.512(b)(1)(iv).
45 CFR 164.502(b).
https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf (accessed May 25, 2020).
https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html (accessed May 25, 2020).
https://www.nccoe.nist.gov/projects/use-cases/health-it/telehealth (accessed May 25, 2020).
https://www.nist.gov/cyberframework (accessed May 25, 2020).
https://www.mwe.com/insights/ocr-waives-penalties-for-certain-phi-use-disclosure-by-business-associates-during-covid-19-emergency/ (accessed May 25, 2020).
https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf (accessed May 25, 2020).
https://www.healthcareitnews.com/news/nist-mitre-offer-cybersecurity-tips-telehealth-deployments (accessed May 25, 2020).
https://ehrintelligence.com/news/how-the-coronavirus-could-push-health-it-to-ehr-interoperability (accessed May 25, 2020).
https://thehealthcareblog.com/blog/2020/02/10/healthcare-in-the-national-privacy-law-debate/ (accessed May 25, 2020).
https://blogs.intel.com/policy/2019/05/27/the-u-s-must-have-strong-enforcement-for-a-successful-privacy-regime/ (accessed May 25, 2020).
https://www.privacyforamerica.com/ (accessed May 25, 2020).
https://www.natlawreview.com/article/doctor-medical-malpractice-issues-age-telemedicine (accessed May 25, 2020).
https://www.kff.org/womens-health-policy/issue-brief/opportunities-and-barriers-for-telemedicine-in-the-u-s-during-the-covid-19-emergency-and-beyond/ (accessed May 25, 2020).
HI Rev. Stat. § 671.7(a) (2019); Center for Connected Health Policy, ‘State Telehealth Law & Reimbursement Policies: A Comprehensive Scan of the 50 States & the District of Columbia’ (Fall 2019).
Executive Order, New York: No. 202.10 at 2, https://www.governor.ny.gov/news/no-20210-continuing-temporary-suspension-and-modification-laws-relating-disaster-emergency (accessed May 25, 2020).
https://www.law360.com/insurance/articles/1272579/11-post-pandemic-predictions-for-telehealth-regulation (accessed May 25, 2020).
https://www.cchpca.org/telehealth-policy/malpractice (accessed May 25, 2020).
https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html (accessed May 25, 2020).
https://www.ruralhealthinfo.org/toolkits/telehealth/2/care-delivery/specialty-care (accessed May 25, 2020).
https://www.uniformlaws.org/committees/community-home?CommunityKey=565933ce-965f-4d3c-9c90-b00246f30f2d (accessed May 25, 2020).
https://nurse.org/articles/enhanced-compact-multi-state-license-eNLC/ (accessed May 25, 2020).
https://www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf (accessed May 25, 2020).
https://www.astho.org/StatePublicHealth/States-Leverage-Telehealth-to-Respond-to-COVID-19/04-08-20/ (accessed May 25, 2020).
https://www.natlawreview.com/article/connecticut-governor-lamont-expands-access-to-telehealth-services-response-to-covid (accessed May 25, 2020).
https://www.healthcaredive.com/news/covid19-respiratory-therapists-staffing/575033/ (accessed May 25, 2020).
https://www.telehealthresourcecenter.org/ (accessed May 25, 2020).
https://towardsdatascience.com/artificial-intelligence-against-covid-19-an-early-review-92a8360edaba (accessed May 25, 2020).
https://www.forbes.com/sites/cognitiveworld/2020/04/16/edge-ai-is-the-future-intel-and-udacity-are-teaming-up-to-train-developers/#6b3cf92768f2 (accessed May 25, 2020).
https://mhealthintelligence.com/news/at-the-cutting-edge-of-healthcare-iot-data-in-preventative-care (accessed May 25, 2020).
https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device (accessed May 25, 2020).
https://www.fda.gov/media/122535/download (accessed May 25, 2020).
https://www.fda.gov/media/136290/download (accessed May 25, 2020).
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5961814/ (accessed May 25, 2020).