The Centers for Medicare & Medicaid Services (“CMS”) and the Department of Health and Human Services (“HHS”) have enacted several measures to confront the public health emergency (“PHE”) caused by the coronavirus and the disease caused by it, COVID-19.  This alert addresses telehealth coverage and recent waivers issued by CMS and HHS that affect how telehealth services are delivered and paid for by Federal government payers. 

Medicare Coverage of Telehealth Services

  • Medicare typically reimburses providers for 3 types of telemedicine visits – (1) telehealth visits; (2) virtual check-ins; and (3) e-visits. The Section 1135 Waivers for Telehealth Services issued by HHS on March 17, 2020 (the “Section 1135 Waivers”) along with other guidance released by CMS and HHS over the past few weeks seek to expand safe access to medical services by making it easier for Medicare beneficiaries to obtain telehealth services.
     
  • A. Telehealth Service: Medicare Part B pays for certain covered telehealth services included on the telehealth list when furnished by an interactive telecommunications system (i.e., live video with audio) if certain conditions, including a geographic and a site requirement, are met.  For instance, under current Medicare regulations, generally, providers are only reimbursed for telehealth services provided to Medicare beneficiaries who are located in a non-Metropolitan Statistical Area or a rural Health Professional Shortage Area at one of the following “originating sites”:  (1) the office of a provider; (2) a critical access hospital; (3) a rural health clinic; (4) a federally qualified health center; (5) a hospital; (6) a hospital-based or critical access hospital-based renal dialysis center (including satellites); (7) a skilled nursing facility; and (8) a community mental health center. Certain other facilities may also qualify as originating sites under certain circumstances and also are exempt from the rural geographic limitation (i.e., renal dialysis facilities, mobile stroke units, etc.).  
     
  • Medicare also limits the types of providers who may deliver telehealth services to: (1) physicians; (2) nurse practitioners; (3) physician assistants; (4) nurse midwives; (5) certified nurse anesthetists; (6) clinical psychologists; (7) clinical social workers; (8) registered dietitians; and (9) nutrition professionals.
     
  • Changes due to Section 1135 Waivers:
    • Effective March 6th and continuing for the duration of the COVID-19 PHE, HHS has expanded the scope of telehealth services Medicare beneficiaries may access by removing the originating site location. Pursuant to the waiver, Medicare will pay providers for (1) telehealth services furnished to Medicare beneficiaries located in all areas of the country in all settings, and (2) telehealth services furnished to beneficiaries in all locations, including patients’ homes.  Medicare considers these telehealth services the same as in-person visits and will pay for them at the same rate as regular in-person visits. 
    • The limitation on the types of providers who may deliver telehealth services remains the same. There has been no expansion of the type of providers who may provide telehealth services that are reimbursed by Medicare.
       
  • B. Virtual Check-Ins: Providers are currently paid for virtual check-ins during which the Medicare beneficiary has a brief (usually 5 -1 0 minutes) technology-based communication (i.e., a telephone call, video chat, text messages) with the provider. Providers and beneficiaries can utilize a broader scope of technology during virtual check-ins than is allowed for telehealth visits. The virtual check-in must be initiated by the Medicare beneficiary, who must also give verbal consent to receive the virtual check-in services. However, CMS approves of the provider educating beneficiaries on the availability of virtual check-ins prior to the patient’s initiation of the service. 
     
  • Unlike, the telehealth visits, there is no geographic restriction to virtual check-ins—the patient can be located anywhere in the country, not only in rural areas. However, only patients who have an established or existing relationship with the provider may utilize virtual check-ins. Additionally, the virtual communication cannot be related to a medical visit within the previous 7 days or lead to a medical visit within the next 24 hours or soonest available appointment.
     
  • Changes due to Section 1135 Waivers: The Department of Health and Human Services’ Office of the Inspector General (“OIG”) has stated that it will not conduct audits for claims submitted during the PHE to determine whether a prior relationship existed between the provider and the Medicare beneficiary or whether the services were provided to a patient that is new to the provider or the provider’s practice. 
     
  • C. E-Visits:  Providers can also be paid for evaluation and management of a Medicare beneficiary with whom they have an established or existing relationship through a patient portal. Like, virtual check-ins, the visit must be initiated by the patient and there is no geographic limitation on where the patient or provider must be located during their communications.  Notably, clinicians such as physical therapists, occupational therapists, speech language pathologists, and clinical therapists – who may not independently bill for E/M visits- are permitted to bill for e-visits. 
     
  • Changes due to Section 1135 Waivers: The OIG has stated that it will not conduct audits for claims submitted during the PHE to determine whether a prior relationship existed between the provider and the Medicare beneficiary or whether the services were provided to a patient that is new to the provider or the provider’s practice.

Other Changes Due to Section 1135 Waivers 

  • Cost-sharing
    • Ordinarily, reductions or waivers of coinsurance and deductibles and other cost-sharing amounts owed by Federal health care program beneficiaries may implicate the Federal anti-kickback statute, the civil monetary penalty and exclusions laws related to kickbacks and the civil monetary penalty law prohibition on inducements to beneficiaries. However, pursuant to the Policy Statement Regarding Physicians and Other Practitioners That Reduce or Waive Amounts Owed by Federal Health Care Program Beneficiaries for Telehealth Services During the 2019 Novel Coronavirus (COVID-19) Outbreak (the “Policy Statement”), the OIG will provide flexibility to providers to reduce or waive cost-sharing for telehealth visits paid by Federal healthcare programs. In the Policy Statement, the OIG makes clear that it will not subject providers to administrative sanctions for reducing or waiving any cost-sharing obligations Federal health care program beneficiaries may owe for telehealth services that are furnished consistent with the then applicable coverage and payment rules as long as both of the following conditions are satisfied:  
      • (1) A provider reduces or waives cost-sharing obligations (i.e., coinsurance and deductibles) that a beneficiary may owe for telehealth services furnished consistent with the then-applicable coverage and payment rules.
      • (2) The telehealth services are furnished during the time period subject to the PHE declaration.
         
    • Interestingly, nothing in the Policy Statement requires providers to reduce or waive any cost-sharing obligations for telehealth services.
       
    • In addition, the OIG will not view the provision of free telehealth services alone to be an inducement or likely to influence future referrals, without further evidence of inducement. Therefore, if a patient returns to the provider after the free telehealth service, the patient’s return by itself will not be considered an inducement. However, whether the promise of additional free telehealth services during the PHE will be evidence of an inducement is not clear.
       
  • Licensing
    • The Section 1135 Waiver suspends the requirement that physicians or other health care professionals hold licenses in the State in which they provide services. Consequently, providers are permitted to perform services in a State in which they are not licensed if they have an equivalent license from another State (and are not affirmatively barred from practice in that State or any other State as part of which is included in the emergency area).  This waiver only applies to federal licensing requirements. It would be prudent for providers to check their state licensure rules before providing telehealth services in a State in which the provider is not licensed. It is worth noting that during these unprecedented times, there are States that have waived or lessened certain licensing requirements under certain conditions. 

The overwhelming purpose (and likely effect) of the Section 1135 waivers is to increase access to all reasonable and necessary medical services, even if those services are not related to the diagnosis and treatment COVID-19.  Although, there has been an expansion of where patients can receive telehealth services and from where providers can provide telehealth services, providers can expect challenges related to the facilitation of appropriate testing and how to accomplish testing for COVID-19 in patients who are evaluated via telehealth. Moreover, the Section 1135 Waivers only apply to Federal requirements and do not apply to State requirements. Providers should check state laws prior to beginning telehealth services.

Discretionary HIPAA Enforcement for Telemedicine Communications

The HHS Office for Civil Rights (“OCR”), the agency responsible for enforcing requirements under the Health Insurance Portability and Accountability Act (“HIPAA”), issued a notice that it will exercise enforcement discretion in connection with the provision of telehealth services. OCR stated that will not impose penalties for non-compliance with the HIPAA Rules against HIPAA-covered health care providers in connection with the “good faith provision of telehealth” during the PHE. Specifically, OCR’s announcement opened the door for health care providers to utilize communication platforms that may not typically meet all HIPAA standards and set forth the following parameters:

  • HIPAA-covered providers can use any non-public facing audio and video communication technology available for remote communications with patients. 
  • The enforcement carve-out applies for any telemedicine activities (not just the treatment of COVID-19 patients).
  • Providers may use popular applications such as FaceTime, Facebook Messenger, Google Hangouts video, or Skype without risk of OCR enforcement for HIPAA noncompliance. However, OCR expressly prohibits use of public-facing applications such as Facebook Live, Twitch, TikTok or similar.
  • Providers should still notify patients of the inherent risk of using such third-party applications and should enable all encryption and privacy modes available. 

Although OCR further stated that the agency will not impose HIPAA penalties for lack of a business associate agreement (“BAA”) with such technology providers, the notice states that healthcare providers seeking additional privacy protections (making it seem optional) should choose vendors that comply with HIPAA (or at least purport to do so) and that will enter a BAA.  OCR specifically highlights certain vendors that agree to execute BAAs and hold themselves out as “HIPAA compliant,” including: Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google GSuite Hangouts Meet.  Even though the notice includes reference to a number of specific products, OCR expressly disclaims any endorsement or recommendation of the noted applications so it is likely safe to assume that use of one of the named products is not necessarily a safe harbor.  

While this leniency is an important measure to streamline the ability for providers to provide telehealth services during the current health crisis, there are still a number of factors health care providers should consider. For instance, OCR’s discretionary enforcement hinges on the “good faith provision of telehealth” which is an ambiguous threshold and is also directly tied to the present PHE. Therefore, it is unclear when this discretionary period will end or how OCR will walk back to its strict interpretation and scrutiny under the HIPAA Rules. As a result, health care providers and other covered entities should consider the following:

  • Continue to exercise diligence in selecting a vendor and product with reasonable and appropriate security safeguards.  Note also that he Cybersecurity and Infrastructure Security Agency (“CISA”) issued a cyber-alert warning about cyber scams related to this PHE.  Security protocols and awareness should remain top of mind. 
  • Carefully negotiate the security reps and termination rights in vendor agreements with these technology providers (including those in the BAA when applicable). 
  • Consider how OCR’s discretionary approach may intersect with state security, data breach and privacy laws. 

OCR’s notice of discretionary enforcement helps clear the path for providers to more quickly establish telehealth services during this difficult time.  However, this allowance is not a “free pass” and presumably has an expiration so health care entities should proceed with caution and make good faith efforts to partner with technology providers that offer reasonable compliance measures. 

*After publication of this alert, the U.S. Department of Health and Human Services Office for Civil Rights issued additional guidance related to its enforcement discretion for telehealth communications. The guidance, which comes in the form of FAQs available here, clarifies the scope, applicability and duration of the leniency period.