February 28, 2023
As the health care industry continues to evolve at a rapid pace, many family physicians are exploring innovative practice models, including concierge and direct pay care. These models have gained traction in primary care in recent years because they can streamline the administrative burden of maintaining a practice and stabilize revenue, enabling physicians to provide more personalized and convenient care to their patients. Patients in turn benefit from greater accessibility to their doctor and can avoid some insurance hurdles as well.
While both models are alternatives to traditional fee-for-service practice, there can be important differences. The direct pay structure allows providers to bypass billing payors, instead charging patients directly, typically on a membership fee basis that covers all services in the practice. This approach enables providers to decrease overhead and provide a predictable scope of services for their patients.
Concierge practices also charge a membership fee, but many continue to bill insurance as well. These providers must ensure that the services offered under the membership fee are not the same as services reimbursed by payors, as Medicare rules prohibit physicians from charging patients extra for services covered by Medicare, and some commercial payor contracts may also have limitations that impact services that physicians can provide outside of covered services in the contract. While these stipulations add a layer of complexity, concierge providers often provide a greater range of services than their direct pay counterparts, which can simplify the treatment process for patients that might otherwise have to seek care outside of the practice.
While direct pay and concierge medicine can be attractive options, family physicians should be aware of their surrounding legal framework for compliance before making the transition to either.
It’s a common assumption that all health care providers are subject to HIPAA. However, HIPAA rules only apply to providers that are covered entities, which are providers that transmit health information in electronic form in connection with what DHHS terms “standard transactions.” Many of these standard transactions involve the exchange of health care data to insurers, including, but not limited to, data transmitted in connection with payment and remittance advice, obtaining claims status, enrollment and disenrollment in a health plan, coordinating benefits, determining eligibility for a health plan, and obtaining referrals or authorizations.
Providers that do not transmit any health information electronically to a third-party payor in connection with a standard transaction are generally not considered covered entities and thus are not subject to HIPAA rules. However, this does not apply to providers that offer a membership fee for services outside of insurance coverage but also continue to bill payors, a group which can include concierge providers as well as direct pay strategies in which some of the practice’s patients are direct pay while other patients are covered by third-party payers. Moreover, considering the frequency of data exchange in the health care industry and corresponding security threats, even providers that do not submit claims to payors are generally best served by complying with HIPAA regulations to effectively protect the privacy and security of patient data and ease the burden of compliance in the event of future transfers of data that do fall under HIPAA. Additionally, providers that are not covered entities may still be subject to HIPAA if they provide services to covered entities as a business associate. Finally, other data security and privacy laws may still apply, even if HIPAA rules do not. A careful understanding of these rules as they apply to the practice’s particular circumstances is an important part of setting up a compliant practice using these alternative compensation models.
Telemedicine is an essential service to many family medicine providers operating under direct pay or concierge models. Accelerated by the COVID-19 pandemic when remote care took on a new level of importance, telemedicine is at the forefront of many modern care delivery models. Virtual services can enhance the convenience of direct pay and concierge membership for patients and can be particularly valuable to family physicians who provide for patients with chronic conditions, allowing them to close gaps in care and ultimately improve the overall health of patients.
While telemedicine can be an important service offered under these models, it also presents cybersecurity challenges to providers. Threats to the privacy and security of patient data are nothing new in health care, but the emergence of telemedicine adds a layer of complexity due to the lack of unified security framework across multiple networks and devices.1 Providers can guard against security risks by complying with safeguards under the HIPAA Privacy and Security Rules and engaging cybersecurity and legal professionals to establish a security strategy prior to providing virtual care. DHHS also stresses the importance of providers ensuring their insurance covers telemedicine, including coverage in multiple states if applicable.
In addition to considerations related to patient health information, family physicians interested in providing virtual care as a service in their direct pay or concierge practices must comply with the North Carolina Medical Board (NCMB) guidance governing the practice of telemedicine.
The NCMB holds licensees practicing telemedicine to the same standard of care as those practicing in-person care, including reliance on appropriate evaluations prior to diagnosing and/or treating a patient. Evaluations can be made through virtual technology if such technology allows providers to accurately diagnose and treat a patient in conformity with the applicable standard of care, necessitating case-by-case consideration by physicians prior to each evaluation.
Physicians must also take steps to appropriately establish a patient relationship prior to providing telemedicine services, including verifying the patient’s identity and location, making the provider’s information available, and ensuring the availability of appropriate follow-up care as applicable. Physicians must be licensed in North Carolina to provide telemedicine services to patients in the state.
In most circumstances, direct pay and concierge providers own the medical records of their patients and must comply with the same rules as providers operating under traditional models. Even if these providers are not subject to HIPAA requirements related to patient right of access, the NCMB states that licensees have a legal and ethical obligation to maintain records, provide patients with access, protect confidentiality of records, and facilitate transfer of patient information to other providers in a safe manner.
As potential models for family medicine, both direct pay and concierge pose opportunities to decrease overhead and simplify pay systems. However, family physicians considering either model should carefully consider their unique compliance challenges in HIPAA concerns of electrical information and coverage payments, telemedicine usage within strategic cybersecurity and NCMB requirements, and medical record-keeping which maintains the expected legal and ethical obligations to serve patients with their records.
For any interest in adopting either care model, make sure to always involve legal counsel for a specified understanding of case-by-case compliance needs.