In the midst of the coronavirus outbreak, the Centers for Medicare & Medicaid Services (CMS) has taken steps to make healthcare services more accessible through telehealth, particularly for those who are at high-risk of complications from the virus. CMS and commercial payors have opened a viable path for healthcare providers to continue to provide care to high risk patients and other patients and receive reimbursement for services to current and new patients.
The Telehealth Services During Emergency Periods Act, part of the Coronavirus Appropriations Act of 2020, expands the use of telehealth for Medicare beneficiaries during the emergency declaration period. The bill allows HHS to waive the originating site requirement for telehealth services provided to Medicare beneficiaries in areas under public health emergency orders permitting delivery of care to patients as they "shelter at home", and it allows telehealth services to be provided to Medicare beneficiaries via phone, given the phone allows for audio-video interaction. CMS will not enforce sanctions based on any prior relationship requirement. Telehealth provides medical and dental providers that are currently restricted from providing office-based services with a means to continue care for their current patient base and develop new patient relationships.
CMS has also expanded the use of telehealth in Medicare Advantage plans, Part D and Medicaid/CHIP. In addition, most commercial payors have expanded use of telehealth to address the need to triage and monitor patients remotely. CMS has also provided CMS-MLN educational guidance on billing for telehealth services.
OCR has waived penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules through "good-faith provision of telehealth during the COVI-19 nationwide public health emergency." The enforcement waiver is limited to telehealth.
Part 2 enforcement related to privacy of substance use disorder patient information is also not included in the waiver. For behavioral health and SUD treatment facilities who use telehealth to treat patients, this waiver does not apply to the Part 2 disclosures of information.
What is "good-faith provision of telehealth"? OCR has provided FAQs on Telehealth guidance on its waiver and provided the following examples of bad faith:
- Criminal acts, such as fraud, identity theft, and intentional invasion of privacy;
- Uses or disclosures of patient data that are prohibited by the HIPAA Privacy Rule not related to treatment, payment or public health authority disclosures such as sale of the data, or use of the data for marketing without authorization;
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
- Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
While the "good-faith" use of telehealth is part of the waiver, an organization's overall Security Rule obligations are not waived. When smart phones or tablets are used for any patient communication:
- use an encrypted communication method;
- configure devices with unique username and password and recommended double factor authentication;
- configure the devices to automatically wipe information after a limited number of failed access attempts and to be wiped remotely if lost or stolen; and
- disable any automatic cloud backup of smartphone or tablet devices except as needed to back up or transfer information to the EHR or other patient record system.
Most telehealth vendors and communication services provide HIPAA compliance specifications to guide configuration of services to provide the recommended security settings for HIPAA compliance. Though the expansion of telehealth access and loosening of certain rigid requirements provide welcome relief healthcare providers facing a COVID-19 surge, hurdles still remain regarding telehealth technologies, legal restrictions that prevent licensed medical professionals from serving patients, and patient triage. While CMS's changes are receiving praise, more improvements are still needed in order for telehealth to meet its full potential as a means to expand care access while reducing transmission.
Beth Pitman is a partner with Waller Lansden Dortch & Davis in Birmin