Medicare Rules Expand Tech-Enabled Care; Ongoing Need for Cybersecurity

• August 29, 2022
• Jennifer Boese

COVID-19 greatly expanded the use of technology enabled care. We saw hospital-at-home models rapidly come online, largely enabled by remote monitoring, virtual care, telehealth and technology platforms. In Medicare, we saw considerable flexibility granted for the delivery of telehealth — no geographic restrictions and the home as an acceptable location, as examples.

The Centers for Medicare & Medicaid Services (CMS) continues to evaluate the future of these pandemic flexibilities as well as the advancement of other technology approaches in its annual Medicare rulemaking process. And while each new avenue for deploying technology in health care can add new value, it also comes with the potential for new cyber vulnerabilities. We take a look at both in today’s blog.

Proposed 2023 Physician Fee Schedule

In its proposed 2023 Physician Fee Schedule (PFS) rule, a few of the technology-related proposals are:

Remote Therapeutic Monitoring

In the 2022 final rule, CMS finalized payment for the first time for three remote therapeutic monitoring (RTM) codes, along with two codes for RTM treatment management. Unlike its predecessor, Remote Physiological Monitoring, RTM is focused on monitoring and management of non-physiological data. Currently reimbursable RTM under Medicare include respiratory system status, musculoskeletal system status, therapy adherence and therapy response.

Stakeholders had raised concerns with several aspects of the original RTM codes, including that treatment management codes include clinical labor and the codes are considered “incident to” services that cannot be billed independently by physical therapists and other non-physician practitioners. To address this in the CY 2023 rule, CMS proposes four HCPCS G Codes.

HCPCS Code	Code Descriptor
GRTM1	RTM treatment management, physician or MPP professional time over a calendar month requiring at least one interactive communication with the patient/caregiver during the calendar; first 20 minutes
GRTM2	RTM treatment management, physician or MPP professional time over a calendar month requiring at least one interactive communication with the patient/caregiver during the calendar; each additional 20 minutes
GRTM3	RTM treatment assessment services, first 20 minutes furnished personally/directly by a nonphysician qualified health care professional over a calendar month requiring at least one interactive communication with the patient/caregiver during the month
GRTM4	RTM treatment assessment services, each additional 20 minutes furnished personally/directly by a nonphysician qualified health care professional over a calendar month requiring at least one interactive communication with the patient/caregiver during the month

Telehealth Changes

CMS maintains a list of covered telehealth services, called the Telehealth Services List (TSL). There are three categories to use as avenues to add services to the list: Categories 1-3. Categories 1 and 2 are for permanent additions to the TSL. Category 3 relates to services added to the telehealth list during the COVID-19 Public Health Emergency (PHE) but would not have enough evidence to be a Category 1 or 2 addition. That means these Category 3 services are temporary.

For Category 1 additions, CMS proposes to add three services codes.

HCPCS Code	Descriptor
GXXX1	Prolonged inpatient or observation services by physician or other qualified healthcare professional (QHP)
GXXX2	Prolonged nursing facility services by physician or other QHP
GXXX3	Prolonged home or residence services by physician or other QHP

CMS proposes to add 53 services to the Medicare TLS on a Category 3 basis, which will allow their inclusion through the end of 2023 regardless of the status of the PHE. 

Further, if a service was added to the TLS but not as a Category 1-3, CMS is proposing 54 of those services to continue to be covered for an additional 151 days upon conclusion of the PHE.

Also continuing another 151 days post PHE are various telehealth flexibilities as contained in the Consolidated Appropriations Act of 2022. Those include waiving geographic and site of service requirements for telehealth services, allowing audio-only services, and waiving the in-person visit requirement for initiating mental health services, among others.

CMS also proposes to allow opioid treatment programs (OTPs) to initiate treatment with buprenorphine using telehealth. Under the proposal, this could occur either using two-way audio/video (synchronous) or via audio-only technology if a beneficiary does not have synchronous capability.

Proposed 2023 Hospital Outpatient Prospective Payment System (OPPS)

In the proposed CY 2023 OPPS rule, CMS discusses Software as a Service (Saas). CMS began reimbursing for SaaS procedures in 2018. The first reimbursement was for a diagnostic service that allowed physicians to measure coronary artery disease through the use of coronary CT scans. Since that time, CMS has reimbursed for several other SaaS systems using artificial intelligence (AI) algorithms. CMS discusses the difficulty in making payment policies for these SaaS procedures due to their uniqueness. The agency seeks stakeholder feedback on the following:

• How to identify services that should be separately recognized as an analysis distinct from both the underlying imaging test or the professional service paid under the Physician Fee Schedule (PFS)
• How to identify costs associated with these kinds of services
• How these services might be available and paid for in other settings (physician offices, for example)
• How the agency should consider payment strategies for these services across settings of care
• CMS also seeks comments on the specific payment approach it might use for these services under the OPPS as SaaS-type technology becomes more widespread across healthcare.

Technology and Cybersecurity

In just these two proposed rules alone, we see the continued use and payment for telehealth, remote therapeutic monitoring plus SaaS. But there’s so much more technology embedded throughout all of health care. That’s why your organization’s health IT and cybersecurity approach needs to continually evolve as well.

If you are wondering where to start, here are several steps you can take:

1. Review the Department of Homeland Security’s SHIELDS UP guidance
2. Establish a culture attuned to security that includes ongoing education
3. Understand and develop good cybersecurity hygiene. This includes practices and habits related to passwords, multi-factor authentication, security of “smart” devices”, protection of hardware and software, use of firewalls and more.
4. Be extremely mindful that the human factor is responsible for the vast majority of breaches and ransomware. This includes social engineering approaches like phishing/smishing/vishing attacks, and more.
5. Consider seeking outside assistance

If you are advanced in your approach, you are already doing the above and more. But cyber is always changing, which means ongoing control audits, incident response review, ransomware preparedness, vulnerability testing, and more will be valuable.

How we can help

CLA has a cybersecurity and data privacy practice, including those who work specifically with health care clients. From compliance, security, testing, and risk management, we can help. Reach out today.

, Health Care General, Health Care Policy, Regulations, Uncategorized | Comments Off on Medicare Rules Expand Tech-Enabled Care; Ongoing Need for Cybersecurity