This advisory synthesizes several recent major developments impacting the delivery of telehealth services by health care providers in light of the COVID-19 crisis. We cover:
- Key steps taken by the Medicare program, commercial carriers and state governments to significantly expand access to and coverage of telehealth services; and
- The temporary waiver of penalties for potential noncompliance with certain federal fraud and abuse and HIPAA violations related to good faith delivery of telehealth.
This is a rapidly evolving area and additional guidance will likely be needed. However, taken together, these developments reflect a significant effort to remove hurdles and empower healthcare providers to deliver telehealth services ― whether related to COVID-19 treatment or not ― in order to meet the national COVID-19 public health emergency.
CMS and OIG Action to Expand Access to Medicare Telehealth Services
CMS
On March 17, the Trump administration announced that, effective for services starting March 6, and for the duration of the COVID-19 public health emergency, Medicare will make payment for Medicare telehealth services furnished to patients in broader circumstances. These visits will be treated the same and paid at the same rate as in-person visits. In addition, Medicare will make payment for professional services furnished to beneficiaries in all areas of the country (not just in rural communities) and in all settings. Likewise, Medicare will pay for Medicare telehealth services furnished to beneficiaries in any healthcare facility and in their home. Please click here to access the Centers for Medicare and Medicaid Services (CMS) fact sheet.
Although this is welcome regulatory action to expand telehealth coverage, CMS recognizes the limitations due to current telehealth coverage applying to video technology but not extending to healthcare services provided only by telephone. We understand that CMS intends to address coverage for services furnished telephonically in its next round of COVID-19-related guidance.
OIG
On March 17, in response to the spread of COVID-19, the Department of Health and Human Services Office of Inspector General (OIG) issued a policy statement, explaining that physicians and other individual healthcare providers will not be subject to administrative sanctions, if they reduce or waive co-sharing obligations for telehealth services for federal health care program (e.g., Medicare) beneficiaries. In other words, the OIG is providing flexibility for healthcare practitioners to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs without running afoul of the Federal Anti-Kickback Statute, the civil monetary penalty and exclusion laws related to kickbacks, or the civil monetary penalty law prohibition on inducements to beneficiaries.
The following two conditions must be met in order to avoid administrative sanctions for waiver of cost-sharing for telehealth services: (1) The reduction or waiver is for cost-sharing obligations (i.e., coinsurance and deductibles) that a beneficiary may owe for telehealth services furnished consistent with the then-applicable coverage and payment rules; and (2) The telehealth services are furnished during the timeframe when the COVID-19 declaration was in effect.
Please note, the OIG's policy statement does not require practitioners to reduce or waive any cost-sharing obligations that federal health care program beneficiaries may owe for telehealth services during the COVID-19 declaration. In addition, during the COVID-19 declaration, any complimentary telehealth services alone will not be viewed by the OIG as an inducement or as likely to influence future referrals. Please click here to access the OIG fact sheet.
State Law and Commercial Carrier Waiver of Cost-sharing Obligations
As a result of the COVID-19 concerns, various state governors and insurance departments are encouraging, and in some cases requiring, commercial insurance carriers to cover telehealth visits and to waive cost-sharing obligations for such visits. Please click on the following states for such guidance from Colorado, Connecticut, Massachusetts, New York, and Texas.
The Colorado and Massachusetts telehealth orders, for example, require fully-insured health plans to provide $0 cost-sharing for telehealth services provided by in-network providers related to COVID-19. Connecticut and Texas are only encouraging, but not requiring, insurers to implement such cost-sharing waivers. New York's order goes even further and requires all fully-insured health plans to cover all telehealth visits with $0 cost-sharing, regardless of whether the visit was related to testing or treatment for COVID-19.
Last week, the Internal Revenue Service (IRS) issued Notice 2020-15, which provided leeway for High Deductible Health Plans (HDHPs) to waive cost-sharing for COVID-19 testing and treatment. Normally, any services for diagnosis or treatment covered by a HDHP must be subject to a minimum deductible of $1,400 for self-only coverage or $2,800 for family HDHP coverage; otherwise the HDHP loses its compatibility with Health Savings Accounts (HSAs). While Colorado and Massachusetts drafted guidance that complies with the new Notice, New York's requirement to cover all telehealth visits with no cost-sharing could jeopardize the HSA-eligible status of all fully-insured HDHPs in the state. However, the initial draft of the "Phase 3" COVID-19 stimulus bill, S.3548 (Coronavirus Aid, Relief, and Economic Security Act), addresses this concern and contains a provision that would allow HDHPs to provide free telehealth visits before the deductible is satisfied.
As noted in some of the state telehealth orders, self-funded employer health plans subject to the Employee Retirement Income Security Act (ERISA) are generally exempt from these state requirements due to federal preemption.
Even in states that have not adopted such orders, however, commercial carriers are voluntarily increasing access to telehealth benefits for members, dropping preauthorization requirements and waiving costs for medically necessary testing to diagnose COVID-19 consistent with Centers for Disease Control and Prevention guidance. In addition, many of these commercial carriers also act as third party administrators (TPAs) for self-funded employer plans and are supporting self-insured employers who wish to implement similar measures. Depending on the carrier, self-funded employer plans may have only a limited window of time to choose whether to opt-in (or opt-out) of such arrangements.
Employers should carefully review the options offered by their TPAs. In some cases, the carriers/TPAs are waiving cost-sharing for all telehealth visits regardless of the reason for the visit, similar to the rule adopted in New York. If the telehealth provisions in S.3548 make it into law, employers could adopt this change without jeopardizing the HSA-eligible status of their HDHPs.
Waiver of State Licensure Requirements
The Federation of State Medical Boards (FSMB) issued a press release on March 13 offering their assistance to state medical boards and health departments in verifying medical licenses of physicians and other health care practitioners, so they may practice via telehealth across state lines during the COVID-19 pandemic. Please click here for a copy of the FSMB press release.
Likewise, the medical licensure laws in many states provide exceptions, in emergency cases, to the in-state licensing requirements for health care professionals providing services remotely to patients outside the state. The challenge is determining if the spread of the COVID-19 virus will trigger the applicable exception under the licensure laws and regulations in each state. A number of states have started issuing waivers of these licensure requirements for healthcare professionals providing services across state lines.
In addition, CMS is temporarily waiving requirements that out-of-state Medicare and Medicaid providers be licensed in the state where they are providing services, when they are licensed in another state. Also, very recently, Vice President Mike Pence announced that the U.S. Department of Health and Human Services will be issuing regulations that will allow medical professionals to practice across state lines to meet the needs of hospitals. It is anticipated that this ruling will not eliminate interstate licensing but will permit physicians and other health care professionals to treat out of state patients.
No HIPAA Penalties for Good Faith Use of Non-Public Facing Telehealth Communications
According to a recent notice (the Notice) issued by the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR), during the COVID-19 emergency, OCR will not impose penalties for noncompliance with HIPAA privacy, security and breach notification rules (HIPAA Rules), where a covered health care provider provides telehealth in good faith through any non-public facing remote communications. OCR's temporary exercise of enforcement discretion applies to telehealth services provided for any reason, regardless of whether the telehealth services relate to the diagnosis and treatment of COVID-19. In issuing the Notice, OCR Director Roger Severino emphasized that "we are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities."
Non-Public Facing Communications Products
During the COVID national emergency, a covered health care provider that wants to use audio or video communication technology to provide telehealth to a patient can use any non-public facing remote communication product that is available. Examples of non-public facing remote communications products, which allow for video chats, include Apple FaceTime, Facebook Messenger video chat, Google hangouts video, and Skype. Importantly, the Notice does not extend to public-facing remote communications products. Examples of public-facing remote communications products include Facebook Live, TikTok or similar apps. Covered health care providers should not use these or other public-facing apps to provide telehealth and may face penalties for HIPAA Rules violations related to use of public-facing apps.
Recommended Practices
The Notice describes a number of HIPAA safeguards that providers should implement when using non-public facing remote communications technologies. Specifically, covered health care providers are encouraged to:
- Notify patients that these apps may introduce privacy risks.
- Enable all available encryption and privacy modes when using the apps.
- Put in place business associate agreements (BAAs) with vendors of non-public facing remote communications products, where possible. For example, OCR notes that Skype for Business, Updox, Vsee, Zoom for healthcare, Doxy.me and Google G Suite Hangouts Meet all represent that they provide HIPAA–compliant video communications products and will enter into a HIPAA BAA. OCR has not verified these vendor representations and does not endorse any particular vendor.
While OCR encourages providers to take the above steps, the Notice states that OCR will not penalize providers for failing to put BAAs in place with non-public facing remote communications vendors, or for other HIPAA Rules non-compliance related to good faith delivery of telehealth services, during the COVID-19 national public health emergency. OCR plans to issue additional guidance on how covered health care providers can use remote video communications products and provide telehealth services responsibly.
Limitations of the Notice
The Notice speaks only to OCR enforcement against covered health care providers. State attorneys generally have dual enforcement authority over HIPAA violations, and this is not addressed in the Notice. Furthermore, covered health care providers may have separate privacy and security obligations under laws other than HIPAA. Please click here for a copy of the OCR Notice.
Limited Waiver of HIPAA Penalties for Certain HIPAA Rule Violations by Covered Hospitals
The Notice follows closely on the heels of the decision by the Secretary of Health and Human Services to grant a limited waiver of HIPAA penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
The waiver only applies: (1) to hospitals that have instituted a disaster protocol; and (2) for up to 72 hours from the time the hospital implements its disaster protocol. These waivers may be helpful for certain telehealth services provided by covered hospitals. Please click here for a copy of the waiver and additional OCR guidance on HIPAA privacy and disclosures in emergency situations.