On January 11, 2022, the Centers for Medicare and Medicaid Services (CMS) released a proposed National Coverage Determination (NCD) decision memo limiting Medicare coverage for Biogen’s new Alzheimer’s drug, Aduhelm.  Under the terms of the NCD – despite FDA’s 2021 approval of the drug – CMS will only pay for Aduhelm for Medicare beneficiaries who are enrolled in a qualifying clinical trial to assess the drug’s safety and its effectiveness in slowing the progression of Alzheimer’s.  CMS stated, “[B]ased on the public comments submitted previously and evidence CMS reviewed, the potential for harm, and important questions that remain, we have determined that coverage with evidence development through clinical trials is the right decision for Medicare patients, clinicians, and caregivers, and we look forward to receiving feedback on the proposal.”  The proposed NCD is open to public comment for thirty (30) days, and a final decision from CMS is expected on April 11.  If the proposed NCD is finalized, CMS must evaluate each submitted clinical trial to verify that it meets the qualifying criteria specified in the proposed NCD.

Aduhelm has been approved by FDA for the treatment of Alzheimer’s since June 2021.  This is the first drug approved by FDA for the treatment of Alzheimer’s in almost 20 years.  In 2019, two clinical trials for Aduhelm were paused due to data showing the drug was of no benefit to patients’ cognitive function. However, after Biogen re-analyzed one of its trials, it decided to apply to the FDA for approval. The FDA used the accelerated approval process but can withdraw Aduhelm from the market if Biogen’s new clinical trial demonstrates that the drug is ineffective. The FDA pivoted on the approval itself, later recommending Aduhelm only in patients with mild cognitive impairment or mild dementia. Patient advocacy groups such as the Alzheimer’s Association played an important role in pressuring FDA to approve Aduhelm, given the minimal advancements in drug treatment in the space.

Since receiving FDA approval, Biogen has faced tough scrutiny about Aduhelm’s efficacy and cost.  Aduhelm’s initial annual price of $56,000 elicited widespread criticism.  In December 2021, Biogen announced that it would reduce the drug’s price to $28,200 for some patients.   Biogen most likely reduced the price in response to slower than anticipated sales and CMS’s announcement it would increase Medicare’s monthly Part B premium for outpatient care in anticipation of the Aduhelm’s price impact.  Adding to Biogen’s challenges, an FDA advisory committee agreed almost unanimously that the clinical trials did not provide strong enough evidence to corroborate Aduhelm’s efficacy data.  However, based on the clinical trials it did review, FDA claimed that Aduhelm could reduce clumps of plaque in the brain, which is likely to slow dementia.  The discrepancy between the advisory committee’s and FDA’s findings coupled with broad criticism of the FDA led the Department of Health and Human Services Office of Inspector General to conduct a probe into the FDA’s approval process for Aduhelm.

Adding to the complexity, State Medicaid programs have also been vocal in protesting CMS’s decision.  Unlike Medicare, Medicaid is required to cover all FDA-approved drugs regardless of a drug’s clinical efficacy.  Therefore, had Medicare determined not to cover Aduhelm, all costs would shift to the state Medicaid programs.  Though some states and insurers have already declined to cover Aduhelm, CMS’s ruling is likely to influence other payors to refuse coverage.

While some commenters and industry observers have questioned whether CMS’s decision with respect to Aduhelm somehow creates a new, default secondary clinical testing and approval threshold for drug makers, it is more likely that the Medicare agency’s decision on Aduhelm reflects the unique circumstances posed by the drug (i.e. unclear efficacy concerns, conflicting FDA guidance, and an unusually high price point).  Whether CMS will make a habit of limiting coverage for innovative drugs only to beneficiaries participating in additional clinical trials remains to be seen, but is not likely.  We will continue to monitor trends and developments at CMS with respect to coverage and payment decisions on new therapeutics and treatments, including additional research and testing requirements that the agency may impose.

Telehealth’s exponential growth –in part due to the COVID-19 pandemic – has highlighted both its value in increasing access to care and the potential for misuse. The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) released a report in September 2021 that found many state Medicaid programs do not sufficiently evaluate whether telehealth improves access to care, reduces costs, or boosts the quality of care for Medicaid recipients receiving behavioral health services.  Further, the OIG found that many state Medicaid programs do not provide the appropriate oversight necessary to reduce fraud, waste, and abuse.  In fact, only two (2) states have measured the efficacy of telehealth on access to behavioral health services for Medicaid beneficiaries.  In short, the OIG concludes that more steps should be taken to maintain oversight over telehealth, especially in the behavioral health context.

Background

When it comes to behavioral health services such as mental health assessments and therapy, generally, depending on insurance coverage limitations, telehealth can be used and could be covered.  The OIG report addresses this concept and states: “As the nation confronts the psychological and emotional impact of COVID-19, the use of telehealth will be important in addressing behavioral health needs for Medicaid enrollees.”  However, providers must first understand where the value lies, how best to deliver these services, and how to avoid fraud and abuse; and that begins with monitoring and evaluating telehealth services in the Medicaid program.

OIG Findings

The OIG report found the following:

• A few states (3 of 37) could not identify which telehealth services are even offered to Medicaid beneficiaries. Not being able to identify services provided to Medicaid beneficiaries limits the state’s ability to analyze the effects of telehealth for Medicaid enrollees, monitor and provide oversight specific to telehealth, or detect and prevent fraud.
• Only a few states assessed the impact of telehealth usage on behavioral health services for Medicaid beneficiaries, despite states’ responsibilities to ensure access to care and address quality of care. An accompanying report showed that states described the challenges and limitations of using telehealth to meet the behavioral needs of Medicaid enrollees.  As the reimbursement landscape continues to change and there is an increased shift towards telehealth service offerings to Medicaid beneficiaries, the OIG stated that it is critical for all states to evaluate the impact of telehealth.
• Despite concerns of states about telehealth abuse (e.g., inappropriate billing for delivering both telehealth and in-person services, billing for services not rendered, and billing for services provided from outside the country) and states’ joint responsibility to monitor their Medicaid programs, the OIG report concluded that many states (26 of 37) do not perform adequate monitoring or oversight on telehealth services to detect any fraud, waste, and abuse meaningfully. Because of the virtual nature of telehealth services and the complex regulatory environment, states cannot monitor telehealth services to the same degree as in-person services.  The report also found that several states’ program integrity efforts are insufficient to monitor telehealth.

OIG Recommendations

Because the Centers for Medicare & Medicaid Services (CMS) plays an equally important role in evaluating and overseeing state Medicaid programs, the OIG recommends that CMS work with the three states that are unable to distinguish telehealth from in-person services to ensure implementation of indicators to identify which services are provided via telehealth.  The OIG suggests that CMS conduct evaluations, and support state efforts to evaluate the effects of telehealth on access, cost, and quality of behavioral health services and conduct monitoring for fraud, waste, and abuse.  Furthermore, the OIG encourages CMS to specifically support state efforts to oversee and monitor telehealth for behavioral health services.

Notably, CMS agreed with at least one of OIG’s recommendations; namely, CMS indicated that “it is currently monitoring the impact of the COVID-19 pandemic on behavioral health services delivered via telehealth by managed care organizations and has provided States with a Risk Assessment Template to assist State efforts in identifying and addressing program risks.” Further, CMS stated that “it will consider the results from OIG’s study to develop ways to support State efforts to oversee behavioral health services delivered via telehealth by managed care organizations.”  Whether these efforts from CMS will be sufficient to help the states at issue remains to be seen.

Takeaways

Telehealth providers should be mindful that states may begin to undertake more robust and comprehensive measures to assess and ultimately restrict access to Medicaid funds for telehealth services.  Based on the OIG’s report, we anticipate that, because states are charged with determining how their Medicaid programs cover the use of telehealth, the OIG’s report may trigger more active and meaningful monitoring and oversight of the use of telehealth with Medicaid beneficiaries.  States may also start to more thoroughly evaluate the impact of telehealth on access, quality, and cost.  And, we anticipate that state Medicaid programs will likely undertake more significant analysis as they determine which services will continue to be covered in a post-COVID-19 pandemic world.

Accordingly, providers should heed CMS’s anticipated increased monitoring of behavioral health services delivered via telehealth. Providers receiving state-based healthcare reimbursement, for example, should undertake a risk assessment and remedial steps to ensure that telehealth services provided to Medicaid beneficiaries are in compliance with that state’s telehealth laws.  This includes reviewing credentialing policies to ensure that each healthcare professional is licensed in the state in which the patient is receiving services and that the company is tracking compliance. Further, as a general practice, telehealth providers should verify that the correct Current Procedural Terminology medical codes are utilized when providing behavioral health telehealth services to Medicaid enrollees. Lastly, telehealth providers should confirm that they are properly tracking the effects of their telehealth program on Medicaid beneficiaries to better understand the impact telehealth has on access, cost, and quality.

The use of telehealth continues to grow rapidly across the U.S.  Given legislative proposals and the Centers for Medicare & Medicaid Services efforts to expand access to telehealth, we can only anticipate that remotely engaging with healthcare providers is here to stay.   In fact, the National Center for Health Statistics and the Centers for Disease Control and Prevention reported that between April and July 2021, 24.5% of adults in the U.S. had a virtual care appointment with a healthcare professional over video or phone.  Given the continued persistence of COVID-19 and the ease and convenience for both provider and patient, telehealth services will most likely remain popular even as the option of in-person appointments regains footing.

On a parallel front, artificial intelligence (AI) is also driving considerable advancements in patient care. Advances in AI offer a powerful way to create clinical and operational efficiency in today’s healthcare system. According to a study by MIT, 72% of healthcare professional respondents showed interest in implementing AI in healthcare delivery. In the field of radiology, as just one of many examples, AI can already be used to find patterns in CT scans, mammography, and other imaging modes that help radiologists more accurately diagnose cancer and a whole spectrum of  other sometimes hard-to-identify diseases.

Telehealth is one of the newest services to utilize AI widely, and there is great promise in its application.  Telehealth typically involves a synchronous, real-time electronic communication from person-to-person.  Subject to limitations in certain states, telehealth also can be furnished through asynchronous communication, whereby a physician reviews and makes medical assessments based on information that a patient has uploaded or stored in a database.  Even though it is asynchronous, this remains a person-to-person communication.  Recently, however, we see more and more opportunities for AI to augment the person-to-person nature of and enhance the capabilities of telehealth.  For example:

• Clinical Evaluation – leveraging AI to take patient histories and make collecting patient information more efficient. This could include a series of AI-developed questions during telehealth intake designed to ask the right questions in the proper sequence to better assist a physician in determining the cause of a patient’s symptoms.
• Telemonitoring – the potential for AI and telemonitoring extends beyond just collecting patient data and turning them into reports. Implementing AI into remote patient monitoring (RPM) devices can promote preventative care and equip the RPM with the ability to predict adverse events.
• Quality Improvement –further integration of AI technology in telehealth services can help with quality improvement processes by enhancing clinical decision-making and disease diagnosis, ultimately optimizing patient care and significantly improving healthcare outcomes.
• Virtual Health Assistants – AI-enabled interfaces allow patients to have more power and control over their healthcare paths. AI applications in virtual health assistants can provide the patient with precise information about their healthcare condition and assist with better healthcare management.

With the promising future of the continued convergence of AI and telehealth and the increased use of digital and consumer technologies to deliver virtual care, there are several legal and regulatory considerations for telehealth providers.  These include:

• Protecting Patient Health Information. One of the biggest issues related to data privacy and security with the application of AI in healthcare is the need to either use de-identified information or obtain patient authorization to use identifiable information. Absent patient authorization, it is difficult to use protected health information (PHI) for machine learning.  But sometimes de-identified information is insufficient for machine learning.  If the developer of the AI is using de-identified information, it must have the right to de-identify the PHI.  Typically, a business associate (BA) is developing the AI. BA’s must have the right to de-identify under the business associate agreement (BAA); otherwise, they can’t de-identify PHI.  Further, there is a separate risk that the AI can be used to re-identify de-identified information.  Studies have demonstrated the potential to re-identify de-identified patient records by combining it with other data sources that AI collects such as facial recognition or iris scans. Because only a few states, like California, have banned re-identification of de-identified data, a Covered Entity may want to include provisions in a BAA with an entity developing AI to protect against that.

Another significant consideration with AI implementation in digital health is patient health information protection and verification.  Healthcare providers are subject to state privacy and security regulations as well as the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, which protect the privacy and security of health information and give individuals certain rights concerning their health information.  According to a 2019 University of California Berkley study, due to the nature and functionality of AI, current laws and regulations appear inadequate to keep an individual’s health status private.  The findings demonstrate that using AI makes it possible to identify individuals by learning daily patterns collected by remote patient monitoring devices such as smartwatches and smartphones and correlating them to demographic data.  If bad actors gain access to such information, they can piece together patients’ identities.  According to a 2020 cybersecurity survey, 70% of the healthcare providers that responded stated that they experienced significant security incidents between 2019 and 2020.  Telehealth providers should be mindful of the potential gaps in data protections that could be created with the addition of AI.  This includes continued vigilance when it comes to HIPAA compliance and reexamining their internal risk assessments, policies, and practices considering the additional risks raised by AI.

• Corporate Practice of Medicine Considerations. As telehealth platforms leverage AI to help physicians deliver care to patients, there is an increasing opportunity for providers to use AI, through machine learning, for example, to diagnose and/or identify the appropriate treatment regimen for patients.  Potential corporate practice of medicine (CPOM) concerns could ensue.  Generally, CPOM laws are designed to prohibit corporations from practicing medicine:  only individual practitioners can diagnose and treat patients, and CPOM prohibitions prevent corporate interference with a healthcare professional’s independent professional judgment.  Without the right level of physician supervision, it is conceivable that an advanced AI-enabled telehealth platform could potentially diagnose or recommend patient treatment options or otherwise blur the lines demarcating where the machine’s judgment ends, and the physician’s judgment begins.  A company offering AI-enabled telehealth services should be mindful of and create clear supervision requirements and boundaries to avoid running afoul of these longstanding laws.  These boundaries should identify important guardrails, including whether and how a physician can overrule AI-driven diagnoses, and when must a physician sign off on an AI-generated treatment regimen.  Since telehealth is often practiced in multiple states, and because CPOM laws vary from state-to-state, providers utilizing telehealth services must structure their operations to account for the variability of the CPOM prohibitions in various states.
• Health Disparities. The implementation of AI-enabled telehealth services also raises important ethical questions about the availability of innovative care.  There is a potential that adding AI to telehealth services might shrink the gap between those accessing advanced care technologies and those that are not.  For example, studies have shown that those with limited English language skills have lower rates of telehealth use.  Adding AI virtual assistants to telehealth technology could, for example, help to ensure that language barriers do not get in the way of appropriate care.  Rather than finding a provider that speaks a particular language, an AI-enabled telehealth platform could assist by providing translation services in real time in multiple languages.  This could allow an AI virtual assistant, for example, to collect more comprehensive medical history during a telehealth visit, thereby providing a greater opportunity for better care and treatment.  Incorporating AI into telehealth visits might also allow for better questions that account for how different cultures view disease and treatment, or for diseases that might only affect a narrow sub-population.

But, there is also the possibility that AI-enabled telehealth services might exacerbate the gap between those who have access to the latest innovative technology and those who do not.  The growing expansion of telehealth services could risk widening disparities among marginalized populations who may have limited access to necessary resources: for example, those who lack access to a computer or smartphone or lack reliable broadband access.  The deployment of AI by telehealth providers is likely to lower costs and should improve disparities in access to care.  However, in the short term, access to AI-aided telehealth services may be uneven and contribute to a greater disparity in access to care.  The addition of AI to telehealth will likely not solve the physical access or cost problems, and it could conceivably add more costs to telehealth technology.  Further, many state Medicaid programs do cover telehealth visits for their beneficiaries, but the infusion of AI may require state regulators to further examine telehealth coverage policies.

• Professional Liability & Malpractice.  As AI advances and its capabilities are better leveraged, how will the highly litigious American people respond?  Who will be responsible when AI-enabled telehealth results in an unfortunate misdiagnosis?  AI and machine learning are not immune to mistakes.  For example, the visual nature of a skin examination lends itself well to the use of machine learning as a potentially valuable tool in teledermatology and the diagnosis and management of dermatologic diseases, especially in areas where a dermatologist may not be available.  However, just like humans, AI might not always get it right.  AI algorithms have some shortcomings, including inapplicability outside of their training domain or bias. We know that blind spots in machine learning machines can sometimes imitate the worst societal biases, with a risk of unintended consequences that have particular effects on minority groups, which can open up providers to increased liability if they depend on these algorithms to assist in diagnosing patients.  Who can be held liable for malpractice if a patient undertakes a series of damaging treatments – or fails to seek treatment based on an AI-enabled diagnosis the patient receives through a telehealth platform?  The AI developer?  The telehealth platform?  The individual physician who signed off on the misdiagnosis?  And which law applies, especially if the patient is in one state, the telehealth provider in another state, and the AI data platform in yet another state?  Further, how much training must a telehealth platform provide its individual physicians regarding the use of AI-infused tools?  If a healthcare provider uses AI to treat or diagnose a patient, both the AI developer and the healthcare provider may be exposed to tort liability related to an adverse event.  The AI developer can be exposed to products liability claims and the provider may be exposed to malpractice claims.  However, without clear legislative direction, it is conceivable that litigants will use the courts to lay out these rules.
• FDA Implications. The regulatory framework governing AI is complex.  A threshold question for any AI developer is whether their AI-enabled product will be actively regulated by the U.S. Food and Drug Administration (FDA), a question that hinges not only on the product’s functionalities, but also its proposed marketing claims.  Further, the FDA continues to develop its framework for regulation of AI-enabled products that the agency actively regulates.  On January 12, 2021, the FDA released the agency’s first Artificial Intelligence/Machine Learning (AI/ML)-based Software as a Medical Device (SaMD) Action Plan.  This action plan describes a multifaceted approach to advance the FDA’s oversight of AI/ML-SaMD, and offers stakeholders several opportunities to engage with the FDA to discuss the agency’s oversight approach.  For example, upcoming opportunities include the FDA’s planned virtual public workshop on October 14, 2021 on the role of transparency in enhancing the safety and effectiveness of AI/ML-based SaMD. Stakeholder feedback continues to inform the evolution of FDA’s regulatory framework for oversight of AI/ML-based SaMD, including FDA’s expectations for such products during premarket review.  A thorough understanding of such expectations early in development can inform more efficient development strategies.

Advances in the use of AI in telehealth will no doubt continue.  AI’s application in telehealth platforms is not just limited to potentially diagnosing a wide range of diseases (like analyzing data from tele-dermatological visits to more accurately diagnose skin cancer); but it can also improve the patient experience (by asking more pinpointed intake questions, for instance), make telehealth visits more efficient (by, for example, more rapidly analyzing a patient’s history for a physician in advance of a visit), and help ensure more effective treatment (with AI-generated follow-up adherence or refill calls).   AI can reduce differences in clinical practice, improve efficiency, and prevent avoidable medical errors that can help with healthcare costs and improve health outcomes and the patient experience.

But a fundamental component to achieving a safe and effective deployment of AI in telehealth services is ensuring that AI developers, telehealth platforms, and the physicians that leverage these tools have the necessary legal and regulatory guardrails in place. This includes addressing the application of current privacy and data security regimes, how telehealth providers supervise the use of AI technology to ensure compliance with CPOM laws, and how telehealth providers address growing disparities in access to care.