Welcome
Privacy & Data Security Law News

INSIGHT: Key Medicare Telehealth, HIPAA Changes During Coronavirus Pandemic

March 26, 2020, 8:01 AM

The Trump administration recently made telehealth services available to Medicare patients in an effort to limit the spread of the coronavirus.

On March 6, President Trump signed into law the Coronavirus Preparedness and Response Supplemental Appropriations Act. Embedded in this act is the Telehealth Services During Certain Emergency Periods Act, which loosened regulatory restrictions on telehealth to enable patients to obtain necessary medical services without having to leave their homes.

On March 17, the administration announced the implementation of this waiver , which the Centers for Medicare and Medicaid Services has effectuated.

Telehealth services historically have only been available to Medicare beneficiaries in certain circumstances and only if the patient had an existing, established relationship with the health care provider. The Act lessens some of Medicare’s restrictions on coverage of telehealth services in connection with the Covid-19 Public Health Emergency Declaration.

The CMS makes clear in a FAQ that the waiver allows any Medicare patient, regardless of location, to receive telehealth services in their home. In addition, while the waiver is in effect, the CMS will not enforce the established relationship restriction.

The CMS stated it will not conduct audits to ensure that a prior relationship existed for claims submitted during the emergency, saying “it is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others exposure to further illness.”

Providers Should Be Mindful

Although the waiver makes telehealth services more accessible for Medicare beneficiaries, providers should be mindful of a few key considerations.

The enactment of the CMS waiver does not mean providers can simply ignore state licensure requirements related to the provision of telehealth services.

While many states have lessened the burden of these requirements in response to Covid-19, it is important for providers to review what is specifically permitted in states’ emergency declarations with respect to professional licensure, as well as the use of telehealth services, to determine the scope of the services they may provide. There may still be state restrictions on where the patient and provider must be located and on who can provide these services.

It also is important for providers to consider their compliance infrastructure when moving to a telehealth platform. For many providers, making a transition to providing telehealth services will be a reactionary one in light of the Covid-19 pandemic.

Developing internal compliance policies and trainings around the use of telehealth services requirements, and the reinforcement of generally good compliance “best practices” (e.g., informed consent, documentation) are no less important when providing telehealth services.

Further, while providers can bill immediately for dates of service starting March 6, they should be mindful that Medicare coinsurance and deductibles still apply for these services (although the HHS Office of Inspector General is providing flexibility for providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs).

HIPAA Penalties Waived

Also on March 17, HHS’ Office for Civil Rights announced it would waive any potential penalties for HIPAA violations for health-care providers who are serving patients using “everyday communications technologies” because many of these technologies may not fully comply with HIPAA.

The OCR issued additional guidance March 20 in the form of FAQs to provide additional clarification on its waiver. Among other things, it includes the scope of the enforcement discretion, the types of technologies allowed, and the length of time the enforcement discretion will be in place.

The FAQs are helpful, but providers and in-house counsel should continue to monitor guidance issued by the OCR to ensure that they are operating under the most recent guidance.

Updates are provided rapidly, the original notice was modified on March 23 to expand the list of potential resources that could be utilized for telehealth services.

Providers should create policies to ensure that activities provided are for the purpose of telehealth services during the national emergency and don’t cross over into the “bad faith” conduct described by the OCR. For example, the FAQs note the following as examples of “bad faith”:

  • Violations of state licensure laws;
  • Use of public facing platforms;
  • Criminal conduct;
  • Inappropriate further uses of the ePHI.

Providers should ensure all team members understand that notification of individuals must still occur in the event of a breach. Providers also should monitor the the OCR’s public statements to be informed when the waiver is removed and have an action plan ready to transition patients who may be used to using a familiar platform that may no longer be available once the waiver is removed.

The above changes demonstrate the government’s recognition that telehealth will be critical in the coming days to limit the spread of the coronavirus. In light of current predictions, it is possible that these waivers will remain in effect for the foreseeable future.

What is unclear is whether the CMS and the OCR will take action to permanently codify these changes to make telehealth services more accessible to the entire Medicare population.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Anjali N.C. Downs is a member of the firm in the Health Care and Life Sciences practice, in the Washington, D.C., office of Epstein Becker Green. Her practice focuses on fraud and abuse and federal and state regulatory compliance within the health care industry.

Anjana D. Patel is a member of the firm in the Health Care and Life Sciences practice, in the Newark and New York offices of Epstein Becker Green. Her practice focuses on health care transactions and regulatory compliance counseling.

Patricia M. Wagner is a member of the firm in the Health Care and Life Sciences and Litigation practices, in the Washington, D.C., office of Epstein Becker Green. She also serves as a general counsel of the firm and as chief privacy officer.

Amy F. Lerman is a member of the firm in the Health Care and Life Sciences practice, in the Washington, D.C., office of Epstein Becker Green. She focuses her practice on a variety of regulatory and transactional health care matters, including telehealth and telemedicine.

To read more articles log in. To learn more about a subscription click here.