On March 17, 2020, the federal Department of Health and Human Services (HHS), through its Centers for Medicare and Medicaid Services (CMS) and Office of Civil Rights (OCR), took action to expand telehealth benefits for Medicare beneficiaries while also exercising its enforcement discretion and, effective immediately, waiving penalties for physicians using telehealth in the event of noncompliance with the regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA).
Under this temporary expansion of permitted telehealth services, CMS has permitted Medicare to pay for office, hospital and other visits furnished via telehealth access across the country, including in the patient’s place of residence. This represents a significant change from the current law, which restricts Medicare reimbursement for telehealth to persons receiving services in designated rural areas, and only when they leave their home to travel to a clinic, hospital or specific type of medical facility for their care.
Furthermore, the HHS Office of the Inspector General (OIG) has announced that it will provide flexibility to healthcare providers to reduce or even waive cost-sharing for telehealth visits paid by federal healthcare programs despite the potential anti-kickback, and other, legal ramifications of such actions. Thus, providers will be reimbursed no differently than if the Medicare patients were at an in-person visit, thereby ensuring access to care while limiting the exposure and spread of the COVID-19 virus.
To help encourage providers to begin offering these expanded telehealth services, OCR has advised that it will immediately stop imposing penalties on physicians utilizing telehealth in the event of a potential noncompliance with the numerous HIPAA regulatory requirements.
One of the most critical aspects of this relaxation is the ability of providers to use general commercial video and audio software, such as Apple FaceTime, Facebook Messenger, Google Hangouts or Skype, to provide the telehealth services without the risk that OCR might seek to impose a HIPAA penalty given the potential lack of sufficient security of these video mediums.
While OCR has relaxed its enforcement efforts, it did expressly advise against providers utilizing Facebook Live, TikTok, Twitch and other public communications software as a means of providing telehealth services to patients. OCR has also recommended, but not mandated, that providers utilizing commercial software programs notify patients of the potential security risks along with attempting, to the extent possible, to secure HIPAA business associate agreements with the technology companies who offer the software as a layer of added protection.
For more information, OCR has posted an online notice outlining these changes.
All of the above actions are only temporary as they are intended to help accommodate necessary care in a time of emergency. Thus, providers will need to ensure that any changes in practice revert back once the COVID-19 public health emergency ends.
Please contact the author of this Alert, John W. Kaveney 973.577.1796 | firstname.lastname@example.org, for additional information or to discuss your specific circumstances. Mr. Kaveney is a Partner in the firm's Healthcare Department.