Privacy Policy Ponderings
Most if not all websites will (or should) contain a link to a Privacy Policy at the bottom of the page. The Privacy Policy will in either great or vague detail describe what information is collected, how the information will be used, and potentially what rights are given to the user. Privacy Policies can frequently be somewhat dense and be full of legal language.
The implementation of various new privacy schemes (whether talking about GDPR from Europe or CCPA from California) has resulted in jurisdiction specific statements and language being added into the Privacy Policy. The new language is driven by the requirements of the new laws, but just adds to the length of the policy and could generate confusion as to who the language applies to.
Regardless of the contents or how the Privacy Policy is set up, the terms will almost always state that a user agrees to the policy just by using the website or applicable service. The agreement occurs even if the user does not actually view or read the terms of the Privacy Policy. That approach is arguably understandable as requiring specific agreement or consent prior to use would likely interfere with the ease of using a website. However, the lack of attention to the details in the Privacy Policy means users will not know what could be given up in the data that is entered or collected through the website or applicable service, an issue especially true for applications that are free. As a saying goes, there’s no such thing as a free lunch, which is especially true when it comes to data.
Contracts of Adhesion?
Could a Privacy Policy be viewed as a contract of adhesion? First, that raises the question of what exactly is a contract of adhesion. It can be a standard form contract that is drafted by one party, often with more leverage, and presented to another party for acceptance without the opportunity to negotiate or modify the terms of the agreement. A contract of this nature is often used in consumer settings to make transactions proceed in a smoother fashion or to avoid unexpected outcomes for the party presenting it.
While a contract with no room for negotiation seems unfair, a contract of adhesion will still be enforceable. One of the keys to enforcement when being reviewed by a court is whether there are any unconscionable, hidden, or buried terms in the agreement. That boils down to making each statement known and not trying to hide the ball on the user. Given the prevalence of so-called click thru agreements or agreements through use, how many users have any awareness of the terms that are being agreed to? The answer is likely few if any.
Adding to the difficulty of understanding or even getting anyone to review is the often dense nature of a Privacy Policy. Most webpages will display a Privacy Policy in a dense block of text that, if lucky, may be broken up by headings. Some policies attempt to use more everyday language as opposed to legalese, but still leaves a lot to dig through.
Despite many users not reviewing the terms of agreements like Privacy Policies, there is still a recognizable benefit to enabling agreement through simple use.
Expanding Privacy Concerns
As noted, attention to privacy and the use of data has been increasing as a steady pace over the past few years. The attention resulted in passage of new laws meant to enhance the rights of individuals in their own data. The rights focus on access, determination, and potentially control. The new scheme are a reaction to the proliferation of data and the view that such data were being exploited without an individual having an ability to have a say in that exploitation.
As suggested, the new rights, at least within the United States, are fragmented. At this point in time, there is no overarching federal privacy scheme, leaving the states to adopt patchwork laws that only apply within the boundaries of the state. Suggesting that the rights only exist in a particular state though somewhat ignores that nothing on the internet is so contained. As a result, the most restrictive or proscriptive state law could become a de facto national standard.
While standards may develop in that way, for a Privacy Policy it means inserting very qualified language that arguably needs a decision tree included to determine when and how the rights or obligations apply. The average user would not necessarily know the nuances of the law or laws driving the state specific language.
A Better Way
With all of the attention and concern around privacy, is there a better way? The variety of interests and scope of information to include certainly presents a challenge, but it also feels like it is possible to present the information in an easier to digest manner. One first attempt, that I got to work on, is the Privacy Policy for Carium. While the more standard document is present that dives into many of the usual terms and details, the initial presentation is in shorter blocks of text that give the high level explanation of what is being laid out. The goal was to encourage users to engage with the Privacy Policy instead of just going right past the policy.
The effort built upon the concepts laid out by Sage Bionetworks in a guide for patient centered informed consent. The premise is to present legal terms in a concise, easy to understand manner. The challenge of meeting this goal is ready acknowledged. However, the opportunity to distinguish and set apart a Privacy Policy by following these concepts is intriguing. The issue comes back to why not explore such options as a means of being friendlier to users.
Using plain English in a Privacy Policy does not mean sacrificing protections though. A Privacy Policy should set out clear legal rights and interests, but legal protection does not have to equate to making those terms hard to understand. An ideal guiding principle for legal drafting would be ensuring that everyone picking up the document can understand it. Drafting so only an attorney can understand is not necessarily helpful.
What Comes Next?
Continuing to move away from dense, overly complex Privacy Policies could help foster more trust between companies and users. Both sides need each other, so why not be more honest and clear about what is happening. Such an approach is a shift in thinking around how Privacy Policies work. Given the potential upside, how many will make the jump to experiment? That is not known, but hopefully time can be devoted to standard documents like Privacy Policies to move away from the old routine and set a new standard.
Share this:
Click to print (Opens in new window)Click to email this to a friend (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on Tumblr (Opens in new window)Click to share on Pinterest (Opens in new window)
Tags
Business, Contract Drafting, Contracting, Privacy
Categories
BUSINESS
COMPLIANCE
HEALTH IT
HEALTHCARE REFORM
REGULATIONS
TELEHEALTH
Telehealth: Onward and Upward
Post author
By Matt Fisher
Post date
February 10, 2021
No Commentson Telehealth: Onward and Upward
It should be well known at this point in time that telehealth achieved rapid adoption and expansion throughout the course of the COVD19 pandemic. The adoption and expansion was the result of many emergency orders though that will only remain in place while a public health emergency declaration is in place. As a potential light at the end of the COVID tunnel can be seen, what will happen next? Optimistically, the answer is stabilization at the current point and growth.
What has Happened?
The federal government, specifically the Centers for Medicare and Medicaid Services (“CMS”), took as much regulatory action as may be possible through finalization of the 2021 Medicare Physician Fee Schedule (“2021 PFS”). The 2021 PFS added several new permanent telehealth codes for coverage and reimbursement. Included in the expansion was clarification around how remote patient monitoring will be covered, which is a particularly effective tool for clinicians and care teams to engage with patients outside the traditional walls of a healthcare institution.
Late 2020 also saw CMS launch a hospital at home demonstration model that encouraged hospitals to care for patients in their own homes while still providing the same amount of reimbursement as given to typical inpatient care. Hospital at home is a concept with a decent amount of evidence-based history of helping to improve outcomes while also controlling costs. If CMS’s new demonstration model gets to the same result, then it could be possible to see hospital at home a more permanent part of the care delivery landscape.
States have also been active on the legislative front. As already noted, the vast majority of, if not all, states used public health emergency declarations to require coverage along with increasing reimbursement for telehealth. States are also somewhat quietly and with growing momentum making those changes permanent. The list of states taking action since the COVID pandemic began include Massachusetts, Maine, New Hampshire, Texas, and Washington among others. Many of those changes focus solely on commercial coverage (meaning private health insurance plans) though. Addition of teleheath requirements to state Medicaid plans may not be so consistent or expansive.
What is Coming Next?
The next steps for telehealth are multifold and will need to approach a number of different angles. First, a legislative press needs to continue, in particular at the federal level. A telehealth coverage bill was reintroduced with the start of the 117th Congress that is meant to keep the emergency changes in place, at least for some period of time, and examine how best to incorporate telehealth for the longer term into Medicare and other government coverage. The legislation also tries to address clinician licensure issues as well as other geographic based restrictions, such as where the patient needs to be located.
States are also continuing to introduce new legislation to make telehealth coverage permanent. Bills are pending in some states that would keep the emergency changes. While it is not know if the bills will pass yet, it is certainly positive that legislation is being considered.
In considering the various forms of legislation, it will be essential to not just require coverage. Coverage just means that an insurance plan may be required to include telehealth in the scope of services that a plan member can access. Coverage is separate and distinct from reimbursement though. Many arguments may be presented for full payment parity, which has largely been the case during the emergency. Parity means plans would pay for telehealth services at the same level as in-person services. Arguments can be presented on both sides of the coin as to what level of reimbursement is appropriate. However, no matter the outcome of the debate, reimbursement should, at a minimum, be set at a level where utilization of telehealth is not discouraged because the money coming in is too low. If reimbursement undercuts the use of telehealth by pinching the financial health of an organization, then no one will benefit.
Another component for the growth of telehealth is development of evidence around the actual impact of service delivery through telehealth. The evidence should focus on the quality of care delivered, impact on workflow, and impact on cost. Positive outcomes may be expected on all fronts, though the impact on cost will be one of the most important data points for expansion. Presumptive arguments claim that telehealth just drives up service utilization along with cost because patients and clinicians can use so easily. However, if a telehealth visit could be viewed as preventing a complication or not driving up utilization, then cost would not necessarily increase and the case for telehealth is strengthened.
Another key area for legislative attention on telehealth use will be licensure of the clinicians who can deliver telehealth services. Currently, a clinician is typically required to be licensed in the state where the patient being treated is located. That is giving rise to the state of some clinicians holding 50 or more licenses, a cumbersome process and management requirement at best. During the pandemic, some states granted emergency licenses, recognized licensure in another state, or created telehealth specific licenses. Regardless of the specific solution, easing the licensing process would certainly have a beneficial impact. There is also a growing argument that medicine is practiced the same in all states, which raises the question as to why each state has a different licensing requirement. While a single solution is unlikely, some change will be necessary to make the process clearer.
Connection to Value Based Care
The COVID pandemic has frequently been cited as a driver for increasing the adoption of value based care models. If that is true, then telehealth will become even more essential. Being able to easily interact with patients and promote preventative care ties directly into the processes necessary for succeeding in value based care.
Beyond the presumed video based visit, remote patient monitoring and other engagement solutions, which are all forms of telehealth, will also factor into the value based care discussion. Helping patients lead healthier lives and detecting potential complications earlier should have a positive impact on the overall cost of care delivery along with patient satisfaction and community benefit. An almost limitless number of potential benefits could be identified, but commitment will be necessary to seeing it bear out.
The Takeaway
It may sound like a broken record, but it is really important for all interested parties to keep up the pressure and attention to telehealth expansion and incorporation. Legislation is absolutely required to keep all of the changes made during the pandemic in place. Sliding backwards is not a good option. Instead, the focus must be onward and upward.
The implementation of various new privacy schemes (whether talking about GDPR from Europe or CCPA from California) has resulted in jurisdiction specific statements and language being added into the Privacy Policy. The new language is driven by the requirements of the new laws, but just adds to the length of the policy and could generate confusion as to who the language applies to.
Regardless of the contents or how the Privacy Policy is set up, the terms will almost always state that a user agrees to the policy just by using the website or applicable service. The agreement occurs even if the user does not actually view or read the terms of the Privacy Policy. That approach is arguably understandable as requiring specific agreement or consent prior to use would likely interfere with the ease of using a website. However, the lack of attention to the details in the Privacy Policy means users will not know what could be given up in the data that is entered or collected through the website or applicable service, an issue especially true for applications that are free. As a saying goes, there’s no such thing as a free lunch, which is especially true when it comes to data.
Contracts of Adhesion?
Could a Privacy Policy be viewed as a contract of adhesion? First, that raises the question of what exactly is a contract of adhesion. It can be a standard form contract that is drafted by one party, often with more leverage, and presented to another party for acceptance without the opportunity to negotiate or modify the terms of the agreement. A contract of this nature is often used in consumer settings to make transactions proceed in a smoother fashion or to avoid unexpected outcomes for the party presenting it.
While a contract with no room for negotiation seems unfair, a contract of adhesion will still be enforceable. One of the keys to enforcement when being reviewed by a court is whether there are any unconscionable, hidden, or buried terms in the agreement. That boils down to making each statement known and not trying to hide the ball on the user. Given the prevalence of so-called click thru agreements or agreements through use, how many users have any awareness of the terms that are being agreed to? The answer is likely few if any.
Adding to the difficulty of understanding or even getting anyone to review is the often dense nature of a Privacy Policy. Most webpages will display a Privacy Policy in a dense block of text that, if lucky, may be broken up by headings. Some policies attempt to use more everyday language as opposed to legalese, but still leaves a lot to dig through.
Despite many users not reviewing the terms of agreements like Privacy Policies, there is still a recognizable benefit to enabling agreement through simple use.
Expanding Privacy Concerns
As noted, attention to privacy and the use of data has been increasing as a steady pace over the past few years. The attention resulted in passage of new laws meant to enhance the rights of individuals in their own data. The rights focus on access, determination, and potentially control. The new scheme are a reaction to the proliferation of data and the view that such data were being exploited without an individual having an ability to have a say in that exploitation.
As suggested, the new rights, at least within the United States, are fragmented. At this point in time, there is no overarching federal privacy scheme, leaving the states to adopt patchwork laws that only apply within the boundaries of the state. Suggesting that the rights only exist in a particular state though somewhat ignores that nothing on the internet is so contained. As a result, the most restrictive or proscriptive state law could become a de facto national standard.
While standards may develop in that way, for a Privacy Policy it means inserting very qualified language that arguably needs a decision tree included to determine when and how the rights or obligations apply. The average user would not necessarily know the nuances of the law or laws driving the state specific language.
A Better Way
With all of the attention and concern around privacy, is there a better way? The variety of interests and scope of information to include certainly presents a challenge, but it also feels like it is possible to present the information in an easier to digest manner. One first attempt, that I got to work on, is the Privacy Policy for Carium. While the more standard document is present that dives into many of the usual terms and details, the initial presentation is in shorter blocks of text that give the high level explanation of what is being laid out. The goal was to encourage users to engage with the Privacy Policy instead of just going right past the policy.
The effort built upon the concepts laid out by Sage Bionetworks in a guide for patient centered informed consent. The premise is to present legal terms in a concise, easy to understand manner. The challenge of meeting this goal is ready acknowledged. However, the opportunity to distinguish and set apart a Privacy Policy by following these concepts is intriguing. The issue comes back to why not explore such options as a means of being friendlier to users.
Using plain English in a Privacy Policy does not mean sacrificing protections though. A Privacy Policy should set out clear legal rights and interests, but legal protection does not have to equate to making those terms hard to understand. An ideal guiding principle for legal drafting would be ensuring that everyone picking up the document can understand it. Drafting so only an attorney can understand is not necessarily helpful.
What Comes Next?
Continuing to move away from dense, overly complex Privacy Policies could help foster more trust between companies and users. Both sides need each other, so why not be more honest and clear about what is happening. Such an approach is a shift in thinking around how Privacy Policies work. Given the potential upside, how many will make the jump to experiment? That is not known, but hopefully time can be devoted to standard documents like Privacy Policies to move away from the old routine and set a new standard.
Share this:
Click to print (Opens in new window)Click to email this to a friend (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on Tumblr (Opens in new window)Click to share on Pinterest (Opens in new window)
Tags
Business, Contract Drafting, Contracting, Privacy
Categories
BUSINESS
COMPLIANCE
HEALTH IT
HEALTHCARE REFORM
REGULATIONS
TELEHEALTH
Telehealth: Onward and Upward
Post author
By Matt Fisher
Post date
February 10, 2021
No Commentson Telehealth: Onward and Upward
It should be well known at this point in time that telehealth achieved rapid adoption and expansion throughout the course of the COVD19 pandemic. The adoption and expansion was the result of many emergency orders though that will only remain in place while a public health emergency declaration is in place. As a potential light at the end of the COVID tunnel can be seen, what will happen next? Optimistically, the answer is stabilization at the current point and growth.
What has Happened?
The federal government, specifically the Centers for Medicare and Medicaid Services (“CMS”), took as much regulatory action as may be possible through finalization of the 2021 Medicare Physician Fee Schedule (“2021 PFS”). The 2021 PFS added several new permanent telehealth codes for coverage and reimbursement. Included in the expansion was clarification around how remote patient monitoring will be covered, which is a particularly effective tool for clinicians and care teams to engage with patients outside the traditional walls of a healthcare institution.
Late 2020 also saw CMS launch a hospital at home demonstration model that encouraged hospitals to care for patients in their own homes while still providing the same amount of reimbursement as given to typical inpatient care. Hospital at home is a concept with a decent amount of evidence-based history of helping to improve outcomes while also controlling costs. If CMS’s new demonstration model gets to the same result, then it could be possible to see hospital at home a more permanent part of the care delivery landscape.
States have also been active on the legislative front. As already noted, the vast majority of, if not all, states used public health emergency declarations to require coverage along with increasing reimbursement for telehealth. States are also somewhat quietly and with growing momentum making those changes permanent. The list of states taking action since the COVID pandemic began include Massachusetts, Maine, New Hampshire, Texas, and Washington among others. Many of those changes focus solely on commercial coverage (meaning private health insurance plans) though. Addition of teleheath requirements to state Medicaid plans may not be so consistent or expansive.
What is Coming Next?
The next steps for telehealth are multifold and will need to approach a number of different angles. First, a legislative press needs to continue, in particular at the federal level. A telehealth coverage bill was reintroduced with the start of the 117th Congress that is meant to keep the emergency changes in place, at least for some period of time, and examine how best to incorporate telehealth for the longer term into Medicare and other government coverage. The legislation also tries to address clinician licensure issues as well as other geographic based restrictions, such as where the patient needs to be located.
States are also continuing to introduce new legislation to make telehealth coverage permanent. Bills are pending in some states that would keep the emergency changes. While it is not know if the bills will pass yet, it is certainly positive that legislation is being considered.
In considering the various forms of legislation, it will be essential to not just require coverage. Coverage just means that an insurance plan may be required to include telehealth in the scope of services that a plan member can access. Coverage is separate and distinct from reimbursement though. Many arguments may be presented for full payment parity, which has largely been the case during the emergency. Parity means plans would pay for telehealth services at the same level as in-person services. Arguments can be presented on both sides of the coin as to what level of reimbursement is appropriate. However, no matter the outcome of the debate, reimbursement should, at a minimum, be set at a level where utilization of telehealth is not discouraged because the money coming in is too low. If reimbursement undercuts the use of telehealth by pinching the financial health of an organization, then no one will benefit.
Another component for the growth of telehealth is development of evidence around the actual impact of service delivery through telehealth. The evidence should focus on the quality of care delivered, impact on workflow, and impact on cost. Positive outcomes may be expected on all fronts, though the impact on cost will be one of the most important data points for expansion. Presumptive arguments claim that telehealth just drives up service utilization along with cost because patients and clinicians can use so easily. However, if a telehealth visit could be viewed as preventing a complication or not driving up utilization, then cost would not necessarily increase and the case for telehealth is strengthened.
Another key area for legislative attention on telehealth use will be licensure of the clinicians who can deliver telehealth services. Currently, a clinician is typically required to be licensed in the state where the patient being treated is located. That is giving rise to the state of some clinicians holding 50 or more licenses, a cumbersome process and management requirement at best. During the pandemic, some states granted emergency licenses, recognized licensure in another state, or created telehealth specific licenses. Regardless of the specific solution, easing the licensing process would certainly have a beneficial impact. There is also a growing argument that medicine is practiced the same in all states, which raises the question as to why each state has a different licensing requirement. While a single solution is unlikely, some change will be necessary to make the process clearer.
Connection to Value Based Care
The COVID pandemic has frequently been cited as a driver for increasing the adoption of value based care models. If that is true, then telehealth will become even more essential. Being able to easily interact with patients and promote preventative care ties directly into the processes necessary for succeeding in value based care.
Beyond the presumed video based visit, remote patient monitoring and other engagement solutions, which are all forms of telehealth, will also factor into the value based care discussion. Helping patients lead healthier lives and detecting potential complications earlier should have a positive impact on the overall cost of care delivery along with patient satisfaction and community benefit. An almost limitless number of potential benefits could be identified, but commitment will be necessary to seeing it bear out.
The Takeaway
It may sound like a broken record, but it is really important for all interested parties to keep up the pressure and attention to telehealth expansion and incorporation. Legislation is absolutely required to keep all of the changes made during the pandemic in place. Sliding backwards is not a good option. Instead, the focus must be onward and upward.
