Below is an excerpt of a contributed article co-authored with Robinson+Cole Business Litigation Group partner Seth Orkand published in Medical Economics on July 27, 2021.

How a hodgepodge of federal and state telehealth waivers creates compliance concerns for providers practicing across state lines.

In response to the devastating COVID-19 pandemic in 2020, the federal government and state governments took a number of overlapping actions to promote telehealth as an alternative method for effectively delivering patient care while lowering risk of transmission – passing laws, updating regulations, issuing waivers and executive and agency orders, and releasing sub-regulatory guidance. Insurance companies and providers took corresponding steps to embrace telehealth, standing up new telehealth platforms and processes almost overnight. The result was a significant expansion of telehealth services, programs, and technologies that enabled patients to access critical care from the comfort of their homes, reduce the risk of transmission, and enable providers to reserve in-person care for higher acuity conditions.

These changes were crucial because regulatory and payment restrictions on telehealth limited its utility prior to the pandemic, except in certain situations and for specialized care for specific conditions. The COVID-19 expansion of telehealth resulted from a joint federal-state effort to waive, amend, and remove those restrictions. Importantly, inconsistencies in the approaches taken by states and the federal government, and inconsistent messaging from regulators, resulted in differing regulatory regimes for providers, particularly those who sought to provide care to patients across state lines, which was necessary as patients and providers scattered throughout the country in response to the pandemic. As a result, health care providers have raised questions regarding the permissibility of telehealth practice across state lines, and of potential exposure to audits for providers who have been reimbursed for telehealth services delivered to patients in states where providers may not be licensed. These questions – and the differences in approach taken between states – are becoming more acute as states terminate or allow state-level emergency declarations to expire, which in many cases end waivers that have enabled telehealth services during the pandemic. Read the article.

On July 6, 2021, Connecticut Governor Ned Lamont signed into law Public Act 21-113 titled “An Act Concerning Opioids” (PA 21-113), which establishes pilot programs to help serve persons with opioid use disorder in urban, suburban, and rural communities, and requires the Commissioner of Public Health to issue and increase awareness of chronic pain treatment guidelines. PA 21-113 became effective on July 1, 2021. Continue Reading Connecticut Legislature Passes Act to Help Address the Opioid Epidemic

On July 7, 2021 Connecticut Governor Ned Lamont signed into law Public Act 21-135 (the “Act”). The Act, among other things, makes a revision to the Department of Developmental Services (DDS) statutes allowing DDS regional or training school directors to consent to emergency care for individuals under DDS custody in certain situations.

Existing law allows a DDS regional or training school director to consent to emergency surgery for an individual under their custody or control living in a residential facility. The Act extends this authority to allow the DDS Commissioner or training school director to consent to any medical treatment or surgery when the individual’s attending physician determines that the treatment is of an emergency nature and there is insufficient time to obtain the written consent that would otherwise be required from the individual, the parent of a minor, or the individual’s legal representative. The Act also requires that the attending physician prepare a report describing the nature of the emergency which necessitated such medical treatment or surgical procedure and file a copy of such report in the patient’s record.

The Act became effective July 7, 2021.

This post was co-authored by Erin Howard, legal intern at Robinson+Cole. Erin is not yet admitted to practice law.

On June 23, 2021, Connecticut Governor Ned Lamont signed into law Public Act 21-2 “An Act Concerning Provisions Related To Revenue And Other Items To Implement The State Budget For The Biennium Ending June 30, 2023” (PA 21-2). PA 21-2 makes various changes to Connecticut law as part of implementing the Governor’s budget, including, in pertinent part, a change to statutory requirements that apply to contracts between health carriers (insurers) and participating health care providers. This provision of PA 21-2 takes effect October 1, 2021. Continue Reading Connecticut Budget Bill Includes Important Changes to Network Participation Contracts Between Health Care Providers and Insurers

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021. Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging, and ultrasounds.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), the vulnerable systems “can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Health care organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”

It is estimated that 130 health systems have not patched the PACS systems and are vulnerable.

HC3 recommended that “PACS security begins by checking and validating connections to ensure access is limited only to authorized users,” and that systems “should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.

“Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them.” According to HC3, “[T]he vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software.”

Keeping up to date on patching vulnerabilities is vital for the security of health information of patients, and health systems that have not attended to the patching of the PACS vulnerabilities may wish to follow the recommendation of HC3.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Below is an excerpt of a legal update co-authored with Robinson+Cole’s Environmental, Energy + Telecommunications Group partners Megan Baroni and Jon Schaefer.

On June 21, 2021, the Occupational Safety and Health Administration (OSHA) adopted its COVID-19 Healthcare Emergency Temporary Standard (ETS). Employers providing health care services will be required to comply with new COVID-19 specific standards it specifies. The ETS applies to all settings where any employee provides “healthcare services” or “healthcare support services.” Read the legal update.

Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records. The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR. Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations

On May 10, 2021, Connecticut Governor Ned Lamont signed into law “An Act Concerning Telehealth” (the “Act”). The Act extends, until June 30, 2023, many of the COVID-19 related telehealth expansions issued by Governor Lamont through executive orders. A press release from the Governor’s Office expressed the Act’s purpose to extend the duration of the expansion of telehealth services permitted by Executive Order 7G (for our previous analysis of Executive Order 7G, see here). Among other things, the Act:

  • Expands the types of providers that can provide telehealth services to include: physicians, physicians assistants, physical therapists, chiropractors, clinical social workers, registered and advanced practice nurses, and others;
  • Until June 30, 2023, permits telehealth to be provided through audio-only technology and through store-and-forward technology;
  • Permits out of state licensed providers to provide telehealth services in Connecticut as long as they are providing such services pursuant to a relevant order issued by the Connecticut Commissioner of Public Health and maintain proper professional malpractice insurance;
  • Outlines the scope of permitted telehealth prescribing practices to permit prescribing schedule II and III non-opioid controlled substances for the treatment of a person with a psychiatric disability or substance use disorder;
  • Prohibits facility fees associated with telehealth services;
  • Allows providers to provide telehealth services from any location; and
  • Requires providers to accept as payment in full for telehealth services: (a) An amount equal to the Medicare reimbursement for such services if the provider determines the patient does not have health coverage for such services; or (b) The amount the patient’s health coverage reimburses, and any coinsurance, copayment, deductible or other out-of-pocket expense imposed by the patient’s health coverage, for such services if the provider determines the patient has health coverage for such services.

Connecticut’s Legislature has taken an interesting step in passing legislation that extends a COVID-19 related emergency order beyond the Governor’s emergency declaration. As states continue to ease restrictions and governors’ emergency powers end, it will be interesting to observe what emergency orders states’ legislatures extend or even make permanent. The Act is effective upon passage and lasts until June 30, 2023.