The onset of the COVID-19 public health emergency (“PHE”) led to a surge in the use of telehealth by health care providers. In addition, the PHE fueled a boom in the number of direct-to-consumer (“DTC”) telehealth platforms, many of which have relied upon COVID-19 regulatory waivers to launch and operate in multiple states across the nation. For the reasons discussed below, DTC telehealth platforms should re-visit their compliance plans and be prepared for increased state and federal regulatory scrutiny.

Concerns Proliferate for Telehealth Platforms

Recent reports by major newspapers and other health care media outlets have raised concerns about DTC platforms, particularly those platforms leveraging high patient-to-provider ratios to prescribe controlled substances. This kind of media attention has brought about increased scrutiny of these platforms by federal and state regulators. Moreover, allegations of improper care or non-compliance with applicable law may even spur ancillary service providers to cease doing business with the platforms, particularly where the ancillary providers receive prescriptions or orders resulting from telehealth encounters. Industry publications recently reported that: (i) federal prosecutors have begun investigating a behavioral telehealth platform, likely relating to the issuance of controlled substance prescriptions through the platform; and (ii) two major pharmacy chains have ceased filling controlled substance prescriptions issued by providers associated with certain behavioral telehealth platforms.

Regulatory Landscape & Waivers

Stakeholders should recognize that a multi-state telehealth platform will implicate the laws of every jurisdiction in which patients are located, including any federal laws that may apply. Therefore, a telehealth platform operating in all 50 states will, for example, need to comport with the laws governing corporate formation, provider licensure, scope of practice, and telehealth encounters in all 50 states.

In addition to applicable federal and state laws and regulations, providers or platforms reliant upon PHE-related waivers must similarly keep apprised of the status of any of the waivers that they rely upon. For example, New York continues to maintain a professional licensing waiver that enables certain providers, licensed out of state, to render care within the state, for the duration of the declared state of emergency. Similarly, with respect to Medicare, Congress extended certain Medicare telehealth flexibilities for 151 days following the conclusion of the PHE, as part of the Fiscal Year 2022 Omnibus appropriations bill. However, other states, including Florida, have not extended their declarations of a state of emergency, resulting in the rescission of emergency powers that previously enabled state agencies to relax or waive state health care laws or regulatory requirements.

Variety of Risks Present in Telehealth Arrangements

The severity and type of risk present in a telehealth business will vary—by jurisdiction, by provider type, by service offering, and by payor mix. For example, the Department of Justice has aggressively pursued health care fraud claims against individuals and entities involved in non-compliant telehealth models. Following a string of similar enforcement actions announced during the PHE, on April 20, 2022, the Department of Justice announced that it brought criminal charges against individuals involved in various non-compliant or impermissible telehealth models, including an arrangement whereby a provider allegedly ordered unnecessary genetic testing as a result of “sham” telemedicine encounters.

As such, it is important that telehealth platforms—and their investors, lenders, and other stakeholders—remain apprised of the regulatory pitfalls and risks associated with multi-state DTC platforms. Importantly, telehealth platforms should be prepared to modify their business models to reduce the risk of non-compliance with applicable laws or regulations, or in response to the rescission of COVID-19 waivers.

Notwithstanding the foregoing, and as evidenced by the waiver of numerous state-level licensing or telehealth requirements, there is increased awareness among elected officials, state regulators, and industry stakeholders, of the challenges posed by the regulatory regime facing health care providers and telehealth platforms who wish to render care across state lines. In light of this increased awareness, the waning of the PHE is an opportune time to advocate for the permanent adoption of PHE-related telehealth flexibilities or waivers. However, advocacy efforts may not timely address immediate or short-term business needs, given the breadth of the types of laws implicated by telehealth models, and given the number of jurisdictions serviced by many large telehealth platforms.

Key Legal Issues That Telehealth Platforms Should Consider

Identified below are some of the material health care regulatory concerns that should be visited, and revisited, by any DTC telehealth platform, as scrutiny of these platforms increases.

Corporate Practice of Medicine & Professional Entity Formation
  • Does the state adhere to the corporate practice of medicine doctrine?
  • Does the state require professional services to be rendered through a professional entity?
  • What combination of entities will be required to effectuate the model in all of the states in which the telehealth platform operates?
Fee Splitting, Handling of Consumer/Patient Fees & Financial Relationships
  • Does the state prohibit licensees, including physicians, nurse practitioners, or pharmacies, from sharing their professional fees with third parties?
    • If so, how will patient fees be structured to comport with these restrictions?
  • Do the financial relationships among the platform’s stakeholders comport with fraud, waste, and abuse laws, such as kickback or patient brokering prohibitions that may apply irrespective of payor source?
Provider Licenses
  • What types of providers will render care via telehealth?
  • Are all providers licensed or otherwise authorized to render care via telehealth to patients located in a given state?
  • Are all nurse practitioners, physician assistants, or other licensees practicing within their respective scopes of practice? Are such licensees appropriately supervised, where supervision or oversight is necessary pursuant to applicable law in the jurisdiction(s) in which they practice?
Telehealth Encounter Requirements
  • What type of telehealth encounters will take place on the platform?
  • Do these encounters comport with telehealth encounter requirements set forth by applicable state laws, or government or private payor requirements? Does the state apply different standards, for example, to Medicaid encounters?
  • Do these encounters comport with prevailing standards of care, particularly where a prescription is issued as a result of a telehealth encounter?
Prescriptions & Controlled Substances
  • Does the state limit the types of products or drugs that may be prescribed via telehealth?
  • Does the state impose any other requirements or restrictions upon the prescribing of controlled substances, beyond the requirements imposed by the Federal Controlled Substances Act?
Marketing
  • How will the platform market its services to consumers or patients and what will the marketing consist of?
  • How will the marketing comply with the FDA rules regarding the marketing of prescription drugs and/or professional practice rules applicable to licensees?
Privacy
  • Does the platform treat certain data as consumer data? If so, at what point during the consumer’s interaction with the platform is the data generated governed exclusively by HIPAA? How is this disclosed to consumers?
  • Were patients provided with appropriate consents, including a HIPAA Notice of Privacy Practices?
  • Has the platform (whether in its role as a Covered Entity or Business Associate) adopted all necessary policies and procedures required by HIPAA?
  • How will data be used for marketing, in compliance with applicable laws, including HIPAA?

Proskauer’s Health Care Group is experienced in helping industry participants navigate these questions, whether for providers seeking to adopt a telehealth program in-state, or telehealth platforms seeking to launch nationwide.

Photo of Jason S. Madden Jason S. Madden

Jason Madden is a partner in the Corporate Department and a member of the Health Care Group. His practice focuses on representing health care clients, including hospitals, physician groups, not-for-profit corporations, private equity firms and other financial institutions. Jason provides legal advice on…

Jason Madden is a partner in the Corporate Department and a member of the Health Care Group. His practice focuses on representing health care clients, including hospitals, physician groups, not-for-profit corporations, private equity firms and other financial institutions. Jason provides legal advice on a wide range of  transactional and regulatory matters, including fraud and abuse compliance; HIPAA and data privacy; mergers, acquisitions and financings; and general corporate and business planning.

In addition, Jason actively participates in pro bono matters, representing not-for-profit organizations on a variety of matters, and is an active member of the American Health Lawyers Association (AHLA). Jason has led the Proskauer’s Election Protection Call Center during the last two election cycles.

Photo of Jonian Rafti Jonian Rafti

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. Since law school, his practice has exclusively focused on representing a variety of clients in the health care sector, including hospitals and health systems, physician organizations…

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. Since law school, his practice has exclusively focused on representing a variety of clients in the health care sector, including hospitals and health systems, physician organizations, telehealth platforms, and digital health companies.

Jonian provides legal advice on a range of regulatory, corporate, and transactional matters governing the practice of medicine and the health care industry, including: federal and state fraud and abuse compliance; HIPAA; scope of practice limitations; telehealth encounter requirements; practice expansions; and general corporate and business planning.

Jonian is a Certified Information Privacy Professional (CIPP/US), and serves on the Board of Directors of The Andrew Goodman Foundation. As a law student, he worked at the Charities Bureau of the New York State Office of the Attorney General on matters affecting state not-for-profit corporations.