– The American Medical Association (AMA) announced the addition of three Current Procedural Terminology (CPT) codes for AstraZeneca’s COVID-19 vaccine.
The American Medical Association (AMA) today announced that
the Current Procedural Terminology (CPT®) code set is
being updated by the CPT Editorial Panel to include immunization and
administration codes that are unique to the COVID-19 vaccine under development
by AstraZeneca and University of Oxford.
The new CPT codes will be effective for use on the condition
that the AstraZeneca vaccine receives approval or emergency use authorizations
from the Food and Drug Administration (FDA). The AMA is publishing the new CPT
codes now to ensure electronic systems across the U.S. health care
system are updated and prepared for the prospect of FDA approval or
authorization for the AstraZeneca vaccine.
of CPT Codes to Support COVID-19 Vaccines
The AstraZeneca vaccine joins two other COVID-19 vaccines that were previously issued unique CPT codes to report vaccine-specific immunizations once FDA approval or authorization has been granted. On Nov. 10, the AMA announced that COVID-19 vaccines developed by Pfizer and Moderna had been issued unique CPT codes to clinically distinguish each vaccine for better tracking, reporting, and analysis that supports data-driven planning and allocation
AstraZeneca COVID-19 Vaccine CPT Codes Overview
Category I CPT code and long descriptor for the AstraZeneca vaccine are:
91302: Severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (coronavirus disease [COVID-19]) vaccine, DNA, spike protein, chimpanzee adenovirus Oxford 1 (ChAdOx1) vector, preservative-free, 5×1010 viral particles/0.5mL dosage, for intramuscular use
In addition to the new vaccine-specific product CPT code, the AstraZeneca vaccine has been issued vaccine administration CPT codes that are distinct to its two-dose immunization schedule. These CPT codes report the actual work of administering the vaccine, in addition to all necessary counseling provided to patients or caregivers and updating the electronic record.
For quick reference, the new vaccine administration CPT codes and long descriptors for the AstraZeneca vaccine are:
0021A: Immunization administration by intramuscular injection of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (coronavirus disease [COVID-19]) vaccine, DNA, spike protein, chimpanzee adenovirus Oxford 1 (ChAdOx1) vector, preservative-free, 5×1010 viral particles/0.5mL dosage; first dose
0022A: second dose
In addition to the long descriptors, short and medium descriptors for all the new vaccine-specific CPT codes can be accessed on the AMA website, along with several other recent modifications to the CPT code set that have helped streamline the public health response to the SAR-CoV-2 virus and the COVID-19 disease.
“A mass vaccination effort with the first available COVID-19 vaccines presents enormous logistical challenges,” said AMA President Susan R. Bailey, M.D. “The ability to correlate each COVID-19 vaccine with its own unique CPT code provides analytical and tracking advantages that ensures optimal vaccine distribution and administration, especially for patients who will need to complete the two-dose immunization schedule.”
– Omada’s diabetes prevention program will be available
to Intermountain’s at-risk patient population as part of a limited engagement
in 2020 and 2021.
– Omada’s diabetes prevention program is personalized to
meet each participant’s unique needs as they evolve, ranging from diabetes
prevention, type 2 diabetes management, hypertension, behavioral health, and
Deepening a collaboration that began in 2016, Omada Health
Healthcare announced the availability of Omada’s Prevention Program as a covered
benefit to patients with prediabetes seen by Intermountain Medical Group
providers at Intermountain primary care facilities. As in-person healthcare
systems seek to integrate proven digital care and coaching for at-risk
patients, this new offering creates a roadmap for large health systems across
the country. Omada’s prevention program will be available to Intermountain’s
at-risk patient population as part of a limited engagement in 2020 and 2021
that launched at the end of August.
Omada’s diabetes prevention program is personalized to meet
each participant’s unique needs as they evolve, ranging from diabetes
prevention, type 2 diabetes management, hypertension, behavioral health, and
musculoskeletal issues. Omada combines professional health coaching, connected
health devices, real-time data and personalized feedback to deliver clinically
Expansion Builds on Previous Successful Collaborations
This announcement builds on a series of milestones between
Intermountain Healthcare and Omada. In 2016, the two companies launched an
innovative partnership in conjunction with the American Medical Association to
deliver digital diabetes prevention services via physician referral. In 2019,
the Omada Program became a covered benefit for Intermountain employees and
their adult dependents, followed by an investment from
Intermountain Ventures, the strategic investment arm of Intermountain
“Intermountain is focused on ensuring all patients receive the care and information they need – where, when, and how they want it – with seamless coordination across the system,” said Elizabeth Joy, M.D., M.P.H., Intermountain’s Medical Director for the Office of Health Promotion and Wellness under Community Based Care and Nutrition Services. “We’ve enrolled nearly 2,000 participants to date from our caregiver population, and we anticipate that access to the Omada program will enhance patient engagement and improve health outcomes in a time when patients are seeking deeply human digital care.”
Why It Matters
“By expanding the Omada diabetes prevention program to our at-risk patients, digital coaches will help encourage and teach patients to proactively manage and improve their overall health and prevent a potentially deadly disease. This is one of the many ways Intermountain Healthcare is moving toward value-based care, which aims to improve patient outcomes and reduce healthcare costs, not just for patients, but entire communities,” said Rajesh Shrestha, VP and COO, community-based care at Intermountain and president and CEO of Castell, an Intermountain company focused on elevating value-based care capabilities.
– The American Medical Association (AMA) published an
update to the Current Procedural Terminology (CPT®) code set that includes new
vaccine-specific codes to report immunizations for the novel coronavirus
– The new Category I CPT codes and long descriptors for the vaccine products 91300 and 91301 for better tracking, reporting, and analysis that supports data-driven planning and allocation.
The American Medical Association (AMA) today published an update to the Current Procedural Terminology (CPT®) code set that includes new
vaccine-specific codes to
report immunizations for the novel coronavirus (SARS-CoV-2).
New Category CPT Codes
The new Category I CPT codes and long descriptors
for the vaccine products are:
91300: Severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike protein, preservative-free, 30 mcg/0.3mL dosage, diluent reconstituted, for intramuscular use
91301: Severe acute respiratory syndrome coronavirus
2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike
protein, preservative free, 100 mcg/0.5mL dosage, for intramuscular use
In accordance with the new vaccine-specific product CPT codes, the CPT Editorial Panel has worked with the Centers for Medicare & Medicaid Services to create new vaccine administration codes that are both distinct to each coronavirus vaccine and the specific dose in the required schedule. This level of specificity is a first for vaccine CPT codes, but offers the ability to track each vaccine dose, even when the vaccine product is not reported (e.g. when the vaccine may be given to the patient for free). These CPT codes report the actual work of administering the vaccine, in addition to all necessary counseling provided to patients or caregivers and updating the electronic record.
Admin CPT Codes & Long Descriptors
For quick reference, the new vaccine administration CPT codes and
long descriptors are:
0001A: Immunization administration by intramuscular injection of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike protein, preservative-free, 30 mcg/0.3mL dosage, diluent reconstituted; first dose
0002A: Immunization administration by intramuscular injection of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike protein, preservative-free, 30 mcg/0.3mL dosage, diluent reconstituted; second dose
0011A: Immunization administration by intramuscular injection of Severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike protein, preservative-free, 100 mcg/0.5mL dosage; first dose
0012A: Immunization administration by intramuscular injection of Severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease [COVID-19]) vaccine, mRNA-LNP, spike protein, preservative-free, 100 mcg/0.5mL dosage; second dose
All the new vaccine-specific CPT codes published in today’s update will be available for use and effective upon each new coronavirus vaccine receiving Emergency Use Authorization or approval from the Food and Drug Administration. In addition to the long descriptors, short and medium descriptors for the new vaccine-specific CPT codes can be accessed on the AMA website, along with several other recent modifications to the CPT code set that have helped streamline the public health response to the SAR-CoV-2 virus and the COVID-19 disease.
– Ontrak acquires LifeDojo Inc, a San Francisco, CA-based
comprehensive, science-backed behavior change platform.
– The acquisition broadens Ontrak’s addressable market
and footprint to lower acuity populations enabling new interventions and remote
Ontrak, Inc., a
virtualized healthcare company, today announced that it has acquired
LifeDojo Inc, a comprehensive, science-backed behavior change platform.
Financial details of the acquisition were not disclosed.
Behavior Change Platform for Consumers and Employers
Founded in 2013, LifeDojo is a platform that makes
transformative life changes possible for members in over 16 countries.
Supported by decades of public health research, the LifeDojo approach to
member-centric behavior change delivers lasting health improvement outcomes,
high enrollment, and better engagement than traditional programs. Clients
include Fortune 500 companies and high-tech, high-growth organizations who use
LifeDojo’s 32 behavior change modules.
COVID-19 Spawns Mental Health Surge
The Journal of the American Medical Association (JAMA) this month reported accumulating evidence of a “second wave” mental health surge that will present monumental challenges for an already greatly strained mental health system and individuals at high risk for mental health disorders such as anxiety, depression, and post-traumatic stress. A June 2020 survey from the Centers for Disease Control and Prevention of 5,412 US adults found that 40.9% of respondents reported “at least one adverse mental or behavioral health condition,” including depression, anxiety, posttraumatic stress, and substance abuse, with rates that were three to four times the rates one year ago.
With the coronavirus pandemic rapidly increasing demand for
“telemental” health solutions, the acquisition of LifeDojo is expected to
advance the Ontrak growth strategy in four ways:
First, the acquisition adds a technology-first,
digital business deployed by blue chip customers in the employer space.
Second, LifeDojo enhances Ontrak’s market-leading
behavioral health engagement capabilities for new and existing customers, with
the addition of the LifeDojo digital tools that drive member value and lower
cost. The combination of behavioral health coaching and digital app-based
solutions meets accelerated payer demand for a comprehensive suite of
behavioral health services and solutions.
Third, the LifeDojo platform increases the company’s
addressable market by enabling the creation of lower cost, digital
interventions across behavioral health and chronic disease populations.
Fourth, LifeDojo’s member-facing apps enable remote
patient monitoring capabilities, initially focused on member reported data,
that will feed Ontrak AI capabilities and further personalize Ontrak’s
“As a public company and leader in virtualized healthcare, Ontrak is uniquely positioned to attract companies, products and technologies that expand our value proposition and footprint with health plan and employer partners. We will endeavor to make additional strategic purchases that expand our addressable market and maximize customer value. LifeDojo and these other intended acquisitions can possibly expand our total addressable $33.7 billion market by up to 100%,” said Mr. Terren Peizer, Chairman and CEO of Ontrak.
The update to the CPT code set was approved by the CPT Editorial Panel, the independent body convened by the AMA with the authority to review and approve proposed additions and revisions to the CPT code set. The new additions and revisions to the CPT code set have been approved for immediate use.
“Two of the newly approved codes report nucleic acid assays that allow a single test to simultaneously detect the novel coronavirus and a combination of common viral infectious agents, including influenza A/B and respiratory syncytial virus,” said AMA President Susan R. Bailey, M.D. “Concurrent detection promises to conserve important testing resources, allowing for ongoing surveillance of influenza while testing for the novel coronavirus.”
New CPT Codes
reference, the new category I CPT codes and long descriptors are:
87636: Infectious agent detection by nucleic
acid (DNA or RNA); severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2)
(Coronavirus disease [COVID-19]) and influenza virus types A and B, multiplex
amplified probe technique
87637: Infectious agent detection by nucleic
acid (DNA or RNA); severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2)
(Coronavirus disease [COVID-19]), influenza virus types A and B, and
respiratory syncytial virus, multiplex amplified probe technique
CPT Editorial Panel Revisions
The CPT Editorial Panel also revised CPT codes ranging from 87301 to 87430 by removing the undefined term “multi-step method” from code descriptors. The revision clarifies the proper reporting for antigen tests that are read by a machine, as compared to those which can be visually interpreted without a machine. This revision affects the newly developed descriptor for CPT code 87426.
In accordance with the above revision, the CPT Editorial Panel approved a new category I code, 87811, to report infectious agent antigen detection by immunoassay with direct visual observation.
87811: Infectious agent antigen detection by
immunoassay with direct optical (ie, visual) observation; severe acute
respiratory syndrome coronavirus 2 (SARS-CoV-2) (Coronavirus disease
In addition to the long descriptors, short and medium descriptors for CPT codes 87636, 87637, 87426 and 87811 can be accessed on the AMA website, along with several other recent modifications to the CPT code set that have helped streamline the public health response to the SAR-CoV-2 virus and the COVID-19 disease.
The coronavirus pandemic accelerated telemedicine exponentially as patients and doctors switched from in-person visits to remote consultations. Health providers rapidly scaled virtual offerings in March and April and traffic volumes soared to unprecedented levels, with practices “seeing 50 to 175 times the number of patients by telehealth than before the outbreak,” according to McKinsey. By early August, the U.S. Department of Health and Human Services expanded the list of allowable telehealth services in Medicare and there was an executive order supporting permanent telehealth provisions for rural areas.
But the surge in telemedicine adoption comes with a host of cybersecurity risks and regulatory compliance requirements unique to the healthcare sector.
As telemedicine traffic increases, so does the volume of hacking attempts. Recent cybersecurity news indicates healthcare organizations are top targets for cyberattacks and “providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches.” The consequences are chilling: “The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States.
Further, whenever patient information is involved, HIPAA compliance is required. While HHS temporarily suspended pursuing HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency,” such permissiveness will not last.
Luckily, most telemedicine providers can utilize managed services and cloud infrastructure to keep pace. Here are some best practices to meet IT compliance and cybersecurity demands for telemedicine.
Telemedicine Compliance Best Practices
Compliance should be viewed as a real-time process that drives security. Telemedicine tools and technology should therefore reflect significant expertise with all healthcare regulations (HIPAA, HITRUST, HITECH), with compliance functions permeating processes. Recommended compliance best practices include:
1. Automate Remediation
Healthcare applications cannot offer high reliability if every potential compliance problem is remediated manually; there’s just too much that can go wrong and never enough staff to address it when needed. The solution is to automate everything that can be automated, and rely on people to handle exceptions or potential violations that don’t impact reliability. Cloud-based services can integrate AI and operational intelligence to automatically remediate anomalies when possible, present recommendations to operations staff for cases that cannot be resolved automatically, and present clear choices such as:
· Do Nothing: Take no action, delete ticket after [x number of days]
· Fix Now: Implement the recommended actions immediately
· Schedule: Perform the recommended actions during the next maintenance window
This approach speeds resolution and decreases service disruptions, and improves the reliability of telemedicine delivery. The automated response also plays a critical role in security (which will be discussed shortly).
2. Perform Formal Risk Assessments
Understanding the risk level and specific risk issues are critical components for an effective compliance plan. Many providers of healthcare services underestimate their level of risk, in part because it is difficult to quantify. The HHS has published guidance in its Quantitative Risk Management for Healthcare Cybersecurity, which offers insight. There are also cloud solutions that can aid the process. Cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud offer automated security assessment services that help improve the security and compliance of applications deployed on their cloud hosting platforms. They can generally assess applications for exposure, vulnerabilities, and deviations from best practices. A good inspection service should highlight network configurations that allow for potentially malicious access, and produces a detailed list of findings prioritized by level of severity.
3. Reduce Attack Surface
To provide secure access to sensitive information, hybrid architectures supporting telemedicine applications need a virtual private network (VPN) gateway between on-premises and cloud resources. However, developers, test engineers, remote employees, and others who need access to cloud-based protected health information (PHI) may bypass a VPN gateway by either cracking open the cloud firewall to allow direct unencrypted internet traffic or using peering connections. To prevent such potential exposures, secure desktop-as-a-service (DaaS) solutions provide an elegant way to allow cloud-based access to PHI without exposing connections or records. A DaaS is generally deployed within a VPC providing each user with access to persistent, encrypted cloud storage volumes using an encryption key management service. No user data is stored on the local device, which reduces overall risk surface area without impeding development capability.
Telemedicine Security Best Practices
While the full scope of cybersecurity strategies is beyond the scope of this article, here are three best practices that telemedicine providers can use bolster their security profile:
1. Deploy Proactive Network Security
Modern cyber threats have become steadily more sophisticated in evading traditional security measures and more devastating once they penetrate network perimeters. For that reason, telemedicine providers need a highly proactive, multilayered approach to prevent malware-based outages, theft of intellectual property, and exfiltration of protected health information (PHI).
A combination of network anti-malware, application control, and intrusion prevention systems (IPS) is recommended. Such proactive solutions are generally bundled in managed cloud services that should automatically detect suspicious system changes in real-time, isolate and quarantine affected resources, and prevent the spread of exploits by locking down any server whose configuration differs from the installed settings.
2. Encrypt Data Storage
Data encryption is the last line of cyber-defense for PHI and other critical information. Even if an attacker can penetrate the perimeter and proactive network security and exfiltrate data from the provider, those data are useless to the hacker if encrypted. It’s good practice to encrypt all web and application servers running on cloud instances using a unique master key from a key management service when creating volumes.
Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its block storage. For additional protection, you can also opt to encrypt DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.
3. Harden Operating Systems
Both Microsoft Windows Server and Linux are ubiquitous operating systems in telemedicine. They are also both attractive targets for cybercriminals because they provide complex capabilities, frequently remediate vulnerabilities, and are so common (increasing attackers’ chances of finding an unpatched system). Hackers use OS-based techniques such as remote code execution and elevation of privilege to take advantage of unpatched operating system vulnerabilities. Hardened images of Windows Server and Linux virtual machines (VMs) should be used, employing default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative extremely difficult, and coordinate well with proactive security bundles described earlier.
While these best practices are targeted primarily at telemedicine companies, they can also be applied to a wide range of healthcare providers and organizations delivering vital services in the face of 2020’s dramatic swings in demand.
About Gerry Miller
Gerry Miller is the founder and chief executive officer at Cloudticity. He is a successful serial entrepreneur and healthcare fanatic. From starting his first company in elementary school to selling his successful technology consulting firm in 1998, Gerry has always marched to his own drummer, producing a series of successes. Gerry’s first major company was The Clarity Group, a Boston-based Internet technology firm he founded in 1992. Gerry presided over seven years of 100% aggregate annual growth and sold the company in 1998 when it had reached $10MM in revenue.
He was recruited by Microsoft to become their Central US Chief Technology Officer, eventually taking over a global business unit and growing its revenue from $20MM to over $100MM in less than three years. Gerry then joined ePrize as Chief Operating Officer, where he grew sales 38% to nearly $70MM while improving operating efficiency, quality, and both client and employee satisfaction. Gerry founded Cloudticity in 2011 with a passion for helping healthcare organizations radically reshape the industry by unlocking the full potential of the cloud.