HEALTH LAW SUPPLEMENT Summer 2021

Cyberattacks and insurance. Clients are asking about the advisability of purchasing cyberinsurance policies or endorsements. Professional liability (malpractice) coverage protects against data breaches that result in malpractice claims by injured patients, but they provide no protection for cybersecurity lapses that do not trigger malpractice claims. According to the Cybersecurity and Infrastructure Security Agency, 91 healthcare providers suffered cyberattacks in 2020, up from 50 in 2019. In 2020, 20 billion dollars was lost in the healthcare industry due to downtime caused by ransomware attacks. Attacks are generally against large healthcare centers and not private practices. Medical devices such as x-ray machines and defibrillators are often a point of entry for hackers because they are generally less secure than the systems that store patient records.
Attacks are typically precipitated by: phishing emails that contain a malicious attachment; clicking on malicious links; and viewing ads that contain malware. Some believe that the recent increase in attacks is in part due to increased vulnerability from providers accessing data remotely while working on unprotected systems during the COVID pandemic.
Attackers usually link unwitting users to their websites by using an address that looks familiar such as Microsoft or Google, but is actually the scammer’s site. Such scams can be avoided by carefully examining URL’s, or website addresses. URL’s should be read from right to left because it is the right side that contains information about where the website originates, and whether or not it’s actually what it appears to be. It’s a good idea to avoid clicking links from email, and instead to type out the web address whenever possible. Backing up data locally is a means of minimizing the impact of a cyberattack because then data remains accessible even after the attack. Cloud backups do the same, but downloads may be more time-consuming and costly.
Cyberinsurance coverage for attacks may be worth the additional expense but usually comes with conditions and limitations. It typically provides coverage for costs only after the insured notifies the insurer of the attack. Insurers may require notification of law enforcement, and pre-approval of any ransom paid.

New York’s telehealth law now includes audio-only communication. Since 2015, New York State has had a telehealth law that mandates that insurers provide in-network coverage for services rendered by telehealth if that same service would be covered if rendered in-person. NY Public Health Law Article 29G. New York Bill S.8416/A.10404 passed in 2020 changes the definition of telehealth to include audio-only.
The sponsors of the bill wrote: “In response to the COVID-19 pandemic, telemedicine is again at the forefront of the healthcare landscape. As the crisis transforms – and often mandates – changes to the way the medical community interacts with patients and caregivers, both video and audio telemedicine have become integral components of the delivery of care. The law currently mandates that use of telemedicine include both audio and video services. However, we must recognize that many vulnerable residents in our under-served communities may not have access to video-enabled devices. This bill will amend the current law to allow the use of audio-only telemedicine services in order to ensure that patients in every corner of New York State have the ability to access care and speak with a medical professional remotely.”
The new law leaves New York providers in a quandary regarding CPT coding of their audio-only telehealth services. AMA CPT coding requires specific designation of telehealth by the use of modifiers, either “95″ or “GT” after the ordinary code for the service if it were rendered in person. But, as defined in the CPT, those two modifiers are for use only for services “rendered via a real-time interactive audio and video telecommunications system.” For now, it seems that different insurance companies are giving different instructions to practitioners about how to acceptably code audio-only sessions, so it’s best to ask insurers about coding.

Should I bill for a consultation when I don’t then offer treatment? Probably not in my opinion. After initial consultation, a health care practitioner is free to decline to offer treatment to a prospective patient and in doing so prevent the creation of a therapist-patient relationship. Because in such cases there is no therapist-patient relationship created, the practitioner has no duty to support continuity of care, i.e., no obligation not to abandon. In a relationship that involves consultation only, neither is there any obligation to offer referrals, although many practitioners do offer them in such circumstances. While there is nothing improper about billing for only a consultation as long as the practitioner clearly describes the fee as being only for such, billing for services in general is considered one indication of the creation of a therapist-patient relationship. In addition, I have noticed that when therapists charge prospective patients a fee for a consultation which does not eventuate in an offer of treatment by the therapist, patients often feel aggrieved and may complain to a licensing board about perceived misrepresentation, incompetence or of a “bait and switch” tactic by the therapist. They may also post negative comments online. Not charging seems largely to avoid those outcomes. Adopting such a policy however, puts greater stress on the initial telephone contact to screen out inappropriate prospective patients.

Risk management and boundaries. I guess that I’m preaching to the choir in addressing this issue with those who read this newsletter, but I continue to defend a significant number of psychotherapists alleged to have violated boundaries, where I believe that the allegations might have been prevented had certain risk management strategies been used.
At the outset of treatment when the therapeutic contract is made, it is advisable to inform certain patients of the boundaries of the therapeutic relationship in order to disabuse them of expectations that are of a personal rather than professional relationship. With certain exceptions, e.g., exposure therapies, perhaps some adolescent patients, restrict meetings with patients to in-office or videoconference sessions; for the latter, locate yourself and ensure the patient is located in a private setting. Don’t promise what you cannot deliver in terms of availability and support, e.g., “I’ll always be there for you;” there will inevitably be times when you are unavailable to the patient and times when you will be perceived as unsupportive. Self-disclose only when it’s for a legitimate and specific therapeutic purpose; usually requests by patients for personal information about therapists should first be met with re-direction to the meaning of the inquiry. Don’t discuss other patients with any identifiable details and as with self-disclosure, only with accepted and specific therapeutic purpose. Don’t use terms that may cause patients to misunderstand the therapist-patient relationship, i.e., no terms of endearment, no signing correspondence with “love.” Don’t hug or kiss patients even if you think the contact will be understood as platonic, and especially don’t if a patient requests it. Don’t accept gifts except perhaps infrequently and of small value. (The prior two caveats may be relaxed in therapy with children.) If you believe patients may have misunderstood the boundaries of the therapeutic relationship, then consult with a colleague about the appropriateness of continuing with therapy, and if you haven’t already, carefully document your assessment and handling of a patient’s issues with the maintenance of boundaries. In long term treatment especially, document patients’ progress to avoid allegations that treatment is primarily self-serving to the therapist, a fostering of dependency, rather than focused on patients’ progressing, even if slowly, toward stated treatment goals.

INFORMATION IN THIS NEWSLETTER IS NOT LEGAL ADVICE FOR ANY PARTICULAR CLIENT OR SITUATION. CONSULT WITH AN ATTORNEY INDIVIDUALLY FOR LEGAL ADVICE REGARDING THE SPECIFICS OF YOUR SITUATION.

Categories