The U.S. Department of Health and Human Services (HHS) has issued several waivers applicable to the provision of telehealth services during the COVID-19 emergency period. Some of these waivers expand Medicare coverage and help ease regulatory burdens so patients and providers can exchange information through electronic communications, with a focus on helping Medicare beneficiaries communicate with their providers from home. At the state level, governors, state medical boards, and public health and Medicaid agencies are working to remove regulatory burdens to swift disaster response. This alert compiles some of these resources to help clients understand the current and fluid environment for expanding telehealth communications with patients during the COVID-19 response.

CMS AND HEALTH PLAN WAIVERS

The Centers for Medicare & Medicaid Services (CMS) issued a waiver broadening access to traditional telehealth services so that program beneficiaries can receive telehealth services from their healthcare providers without having to travel to a healthcare facility. CMS also issued waivers permitting Medicare Advantage Organizations to waive requirements, so stay tuned to further announcements from the health plans in your area. The American Association of Health Plans has compiled a list of actions that commercial, Medicaid, and Medicare managed care providers are taking.

Background

The Coronavirus Preparedness and Response Supplemental Appropriations Act (Coronavirus Response Act), signed into law by President Donald Trump on March 6, 2020, includes a provision allowing the Secretary of HHS to waive certain Medicare telehealth payment requirements during a public health emergency. CMS issued a waiver and related guidance shortly thereafter. The waiver, which is effective for services provided on or after March 6, 2020, will allow Medicare beneficiaries in all areas of the country to receive telehealth services, including at home. The waiver permits a range of providers, including doctors, nurse practitioners, clinical psychologists and licensed clinical social workers, to offer telehealth services to their patients. A summary of CMS' changes to Medicare telehealth coverage under the Coronavirus Response Act can be found in the following chart.

CMS maintains a list of services that are normally furnished in-person that may be furnished via telehealth. This list is available here. These services are described by HCPCS codes and paid under the Medicare Physician Fee Schedule. CMS’ waiver allows these services to be provided to patients by eligible professionals regardless of the patient’s location.

CMS' guidance on Medicare telehealth services under the Coronavirus Response Act (CMS Telehealth Guidance) describes three types of services covered by the waiver: Medicare Telehealth Visits, Virtual Check-ins, and E-Visits.

Medicare Telehealth Visits

Medicare telehealth visits require the use of interactive audio and video telecommunications systems permit real-time communication between a distant site and the patient, including smartphone and video chat during the waiver period. Distant site practitioners can include physicians, nurse practitioners, physician assistants, nurse midwives, CRNAs, clinical psychologists, clinical social workers, registered dietitians and nutrition professionals. These services can be provided to any Medicare beneficiary, including in situations where the provider and beneficiary have not had a prior existing relationship. The CMS Telehealth Guidance is clear that HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency. During the public health emergency, these visits are considered the same as an in-person visit and paid at the same rate as regular in-person visits. Generally, Medicare coinsurance and deductibles will apply, but please refer to the section below titled OIG - Reductions or Waivers of Cost-Sharing Obligations.

In a related move, the DEA will now permit DEA-registered practitioners providing telehealth visits to prescribe Schedule II-V controlled substances for a legitimate medical purpose to patients for whom they have not conducted an in-person medical evaluation. The practitioner must otherwise act in compliance with federal and state laws, including the DEA regulations for electronic prescribing or calling the pharmacy for Schedule III-V prescription and in medical emergencies, calling in Schedule II prescriptions.

Virtual Check-Ins

Virtual Check-ins allow Medicare patients in their home to have a brief communication with a practitioner via a telephone or exchange of information through video or image. CMS expects these virtual services to be initiated by patients; however, practitioners may need to educate patients on the availability of the service prior to patient initiation. The virtual check-ins are for patients with an established relationship with the provider where the communication is not related to a medical visit within the previous seven days and does not lead to a medical visit within the next 24 hours. Patients verbally must consent to receive the services, and the Medicare coinsurance and deductibles will apply.

CMS provides the following billing guidance for these services: Doctors and certain practitioners may bill for these virtual check-in services furnished through several communication technology modalities, such as telephone (HCPCS code G2012). The practitioner may respond to the patient’s concern by telephone, audio/video, secure text messaging, email or use of a patient portal. Standard Part B cost sharing applies to both. In addition, separate from these virtual check-in services, captured video or images can be sent to a physician (HCPSC code G2010).

E-Visits

Established Medicare patients may have non-face-to-face patient-initiated communications with their doctors without going to the doctor’s office by using online patient portals. These services can only be reported when the billing practice has an established relationship with the patient. The patient must generally initiate the initial inquiry and communications can occur over a seven-day period. The services may be billed using CPT codes 99421-99423 and HCPCS codes G2061-G2063, as applicable. Patients verbally must consent to receive the services, and the Medicare coinsurance and deductibles will apply.

CMS is currently receiving and approving Medicaid waivers from state agencies, and those waivers should be consulted for differing coverage conditions.

STATE LICENSING WAIVERS

The CMS Telehealth Guidance does not waive healthcare provider licensure requirements. With that said, many states have begun to either fast track the temporary licensing of out-of-state physicians and other practitioners or to recognize unrestricted out-of-state licenses to practice within that scope as sufficient during the pendency of the order. The Federation of State Medical Boards (FSMB) has compiled a list of links to emergency orders by governors and state agencies regarding licensure issues.

OIG - Reductions or Waivers of Cost-Sharing Obligations

The HHS Office of Inspector General (OIG) has issued a policy statement to notify healthcare providers that they will not be subject to administrative sanctions for reducing or waiving any cost-sharing obligations federal healthcare program beneficiaries may owe for certain telehealth services, subject to the conditions specified in the policy statement. The policy statement can be accessed here.

Routine reductions or waivers of costs owed by federal healthcare program beneficiaries, including cost-sharing amounts such as coinsurance and deductibles, potentially implicate the federal Anti-Kickback Statute, the civil monetary penalty and exclusion laws related to kickbacks, and the civil monetary penalty law prohibition on inducements to beneficiaries. Nonetheless, recognizing the unique circumstances resulting from the COVID-19 outbreak, the OIG will not subject physicians and other practitioners to OIG administrative sanctions for arrangements that satisfy both of the following conditions:

1. A physician or other practitioner reduces or waives cost-sharing obligations (i.e., coinsurance and deductibles) that a beneficiary may owe for telehealth services furnished consistent with then-applicable coverage and payment rules.

2. The telehealth services are furnished during the time period subject to the COVID-19 public health emergency declaration (the “COVID-19 Declaration”).

The policy statement is subject to the following additional considerations:

1. Nothing in the policy statement requires physicians or other practitioners to reduce or waive any cost-sharing obligations federal healthcare program beneficiaries may owe for telehealth services during the time period specified in condition 2 above.
2. For any free telehealth services furnished during the time period subject to the COVID-19 Declaration, the OIG will not view the provision of free telehealth services alone to be an inducement or as likely to influence future referrals (i.e., OIG will not view the furnishing of subsequent services occurring as a result of the free telehealth services, without more, as evidence of an inducement).
3. Nothing in the policy statement will affect the operation of CMS’s programmatic rules and regulations.
4. Nothing in the policy statement otherwise affects a physician’s or other practitioner’s responsibility to bill only for services performed and to comply with legal authorities related to proper billing, claims submission, cost reporting, or related conduct.
5. Nothing in the policy statement affects a physician’s or other practitioner’s responsibility to comply with federal, state, or local statutes, rules, regulations, ordinances, or other laws that may be applicable and in effect at the time.

The OIG has specifically reserved the right to reconsider the issues raised in the policy statement and to modify or terminate the policy statement at any time.

RELATED HIPAA AND PART 2 GUIDANCE DURING THE EMERGENCY WAIVER PERIOD

The HHS Office for Civil Rights (OCR) initially had issued a bulletin making clear that, even in emergency situations such as the COVID-19 outbreak, the protections of the HIPAA privacy rule still apply. OCR issued a limited waiver of certain HIPAA privacy requirements strictly for hospitals, but that waiver applies only during the first 72 hours of a hospital’s implementation of a disaster protocol.

OCR Waiver of Good Faith Telehealth under HIPAA Privacy and Security Rules

On March 17, OCR announced that it will exercise its enforcement discretion for healthcare providers that are covered entities under HIPAA who use audio or video communication technology to provide telehealth during the COVID-19 emergency period. On March 21, OCR issued further guidance on telehealth remote communications in the form of FAQs. In that guidance, OCR provided a very broad definition of telehealth services not limited by any payment or coverage restrictions imposed by third-party payors and Medicare or Medicaid. OCR states that it will use enforcement discretion and not impose penalties for HIPAA violations by healthcare providers acting in good faith to provide telehealth during the COVID-19 nationwide emergency. This means that providers may use video chat apps (e.g., such as FaceTime, Skype, Facebook Messenger, and Google Hangouts) regardless of whether the service relates to the diagnosis and treatment of conditions related to COVID-19 (e.g., sprained ankles and other covered medical conditions). Other technologies that are public facing, such as Facebook Live, Twitch, and TikTok, should not be used to provide telehealth services.

OCR also will not impose penalties on providers using a video communication technology in good faith from a vendor that does not offer HIPAA business associate agreements (BAA). Note that more vendors with video communication products are beginning to offer their solutions under a HIPAA BAA model that tracks the HIPAA Security Standards, and this market is likely to expand rapidly.

Providers will be expected to use encryption where the technology permits, and if using an unsecure technology, to notify patients of the privacy and security risks associated with the use of such technology. Provider should update their security risk assessments for these additional threats, vulnerabilities, and safeguards accordingly.

OCR also provided examples of what it considers the bad faith provision of telehealth services that would not be subject to enforcement discretion. Those examples include using public-facing products, conducting criminal acts (e.g., intentional invasion of privacy, fraud or identity theft), and further using or disclosing the information from a telehealth service improperly by selling it or using it for marketing purposes without authorization.

SAMHSA Part 2 Guidance

The HHS Substance Abuse and Mental Health Services Administration (SAMHSA) issued COVID-19 guidance for federal Part 2 Substance Use Disorder (SUD) programs as many SUD clinics may be shut down and their patients unable to provide in-person consent. Under the medical emergency exception, providers can use their professional judgment to determine whether a bona fide medical emergency exists. When the patient’s prior informed consent cannot be obtained, the SUD program provider may disclose SUD records to other medical personnel without consent as necessary to meet the medical emergency and document the disclosure after it is made. The medical personnel treating and receiving SUD information for the medical emergency may re-disclose the information for treatment purposes as needed.

Note that these waivers do not waive state law restrictions that are more stringent than HIPAA. Questions regarding whether a specific disclosure is permitted under HIPAA or whether applicable state law restrictions preempt HIPAA should be directed to legal counsel.