Telehealth and COVID-19: Federal Update

March 20, 2020

Unsurprisingly, COVID-19 has greatly liberalized federal and state telehealth requirements previously in place. What has not changed is the fact that telehealth services are governed by a number of different laws and regulations, all of which are constantly changing – now more than ever.

Consequently, we have outlined the current guidance (as of March 18, 2020) applicable to those physicians and healthcare providers offering telehealth service to their patients. Please note that these laws are subject to change and require daily monitoring.[1] The delivery of telehealth is governed by a number of different laws and agencies, which we have highlighted below.

Medicare Requirements

Under the Coronavirus Preparedness and Response Supplemental Appropriations Act (Coronavirus Act),[2] the prior limitations pertaining to Medicare telehealth services are waived during this emergency situation (e.g., provision of telehealth limited to rural health areas). During the COVID-19 crisis, starting March 6, 2020:

All Medicare beneficiaries may receive telemedicine services; and
Medicare will provide payment for telehealth services provided in any healthcare facility, home, physician office, skilled nursing facility, and hospital – specifically telehealth visits, virtual check-ins, and e-visits, as outlined below.

Physicians and other qualified practitioners may provide covered services to individuals who received Medicare services from the physician or other qualified practitioner (or a physician or practitioner in the same practice) within the prior three years from the date of the telehealth services.[3] Telehealth services may be provided via the use of a phone as long as the phone has audio and video capabilities that allow for two way, real-time interactive communication (e.g., FaceTime).[4]

CPT codes and Medicare coverage can be grouped into telehealth visits (covering synchronous audio/visual visits between a patient and clinician for evaluation & management (E&M); online digital visits (digital visits and/or brief check in services furnished using communication technology that are employed to evaluate whether or not an office is warranted via patient portal or smart phone); and remote patient monitoring (collecting and interpreting physiologic data digitally stored and/or transmitted by the patient and/or caregiver to the physician or qualified health care professional. The American Medical Association has provided great chart summaries of the corresponding CPT codes and description for each of these categories, which can be accessed at: https://www.ama-assn.org/practice-management/digital/ama-quick-guide-telemedicine-practice.

Medicare Fraud Cautions

The Office of Inspector General (OIG) issued a policy statement on March 17, 2020 notifying physicians and practitioners that they will not be subject to administrative sanctions for reducing or waiving any cost-sharing obligations that Federal health care program beneficiaries would owe for telehealth services.[5] The OIG waiver requires the following: (1) the telehealth services must be furnished consistent with the then-applicable (described above) coverage and payment rules; and (2) they must be furnished during the time period of the COVID-19 Declaration (i.e. after January 27, 2020 until lifted).

On the other hand, the OIG is very clear that physicians and other practitioners are not required to either reduce or waive cost-sharing obligations and that those offering telehealth services to federal healthcare program beneficiaries must abide by all other federal, state, and local statutes and regulations in effect. Given the increase of enforcement activity on the telehealth front, physicians and other providers should not mistakenly assume that the OIG will not actively seek to enforce compliance with applicable laws and regulations related to telehealth.

Medicaid Generally

CMS also released Medicaid Telehealth Guidance to states, encouraging them to consider telehealth as an option to combat COVID-19 and increase access to care.[6] To help promote telehealth, CMS provides the following:

States are not required to submit a State plan amendment to pay for telehealth if the services are furnished in the same manner as when furnished face-to-face.[7]
States may pay a qualified physician or other licensed practitioner serving as the distant site billing provider, and the payment may include costs for the time and resources facilitating care at the originating site.
States may pay, separately or as part of the fee-for-service rate, for appropriate ancillary costs, including technical support transmission charges and equipment necessary for the delivery of telehealth services,[8] subject to an approved State plan payment methodology.

Specific State Medicaid Requirements

The various state agencies responsible for administering Medicaid must be checked by physicians and other providers for updates to the state Medicaid program.[9] Additionally, the state public health agencies may offer additional guidance.[10]

State Medical Licensure Requirements

For Medicare patients, CMS has temporarily waived requirements that out-of-state providers be licensed in the state where they are providing services as long as they are licensed in another state.[11] For Medicaid patients, an individual state must request a waiver if they want to employ them. As a general matter, state Governors in many jurisdictions have relaxed licensure requirements for physicians licensed in another state and/or retired or inactive physicians (e.g., Florida,[12] Georgia,[13] Ohio[14]). Ordinarily, these requirements address who can treat patients located in the state; the type of license that must be held; and requirements for any telehealth and teleprescribing (including emergency regulations to align state regulations with the January 31, 2020 emergency declaration issued by HHS allowing DEA registered practitioners to issue prescriptions during the COVID-19 crisis without an in-person evaluation if certain requirements are met).[15] The state statutes and regulations may also address whether care provided via telephone constitutes telehealth.

Third Party Payor Requirements

Third party payor requirements with respect to the provision and reimbursement of telehealth services will vary by third party payor (via contract or applicable policies and procedures). Accordingly, physicians and providers should review and confirm the same with their contracted third party payors. State statutes may include parity laws that require third party payors to reimburse providers for telehealth services that would be paid if the services were provided in-person.[16] This guidance follows on President Trump’s call in recent weeks for all insurance companies to expand and clarify their policies around telehealth. While there has been no commitment to date, we anticipate that we may see liberalization of payment requirements for telehealth from private payers as well.

Privacy & Security Requirements

From a privacy and security standpoint, HIPAA compliance is essential to the delivery of telehealth services. Telehealth visits should be conducted through a secure network to ensure the privacy and security of the interaction.

That said, on March 17, 2020, the Office of Civil Rights (OCR), which is the enforcement agency for HIPAA, announced that, effective immediately, it would exercise its enforcement discretion and waive potential penalties for HIPAA violations against health care providers serving patients through everyday communications technologies, such as FaceTime, Skype, Apple FaceTime, Facebook Messenger video chat, and Google Hangouts video, during the COVID-19 public health emergency.[17] Providers may use any non-public facing remote communication product that is available to communicate with patients. OCR cautions that Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and should not be used in the provision of telehealth by covered health care providers. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Further, OCR reminds providers that they should provide such services through technology vendors that are HIPAA compliant and enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products; however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors. Although it does not endorse any vendors, OCR lists the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA: Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet.

Further, OCR would exercise enforcement discretion for otherwise non-HIPAA compliant modalities, as long as they are used in good faith for any telehealth treatment or diagnostic purpose, even if the telehealth service is not directly related to COVID-19. This exercise of discretion recognizes the healthcare community's concerns about reaching those at risk, particularly older persons and persons with disabilities.

Sharing Information Generally

OCR also has issued a Bulletin reminding covered entities (i.e., Healthcare Providers; Health Plans; and Healthcare Clearinghouses) and their business associates how patient information may be shared under HIPAA during the COVID-19 health emergency.[18] Specifically, Covered Entities may disclose a patient's protected health information (PHI) without the patient's authorization:

To treat the patient or to treat a different patient;[19]
To a public health authority (e.g., CDC or state or local health department) authorized by law to collect or receive such information for the purpose of preventing or controlling disease;[20]
To a foreign government agency at the direction of a public health authority where the foreign government agency is acting in collaboration with the public health authority;[21]
To persons at risk of contracting or spreading a disease if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations;[22]
To family, friends, and others involved in an individual's care and for notification of those involved in a patient's care (including the police, the press, disaster relief organizations, or public at large), subject to certain permissions;[23] and
To anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or public as long as such disclosure is consistent with applicable law and the provider's standard of conduct.[24]

The Bulletin also contains guidance reminding Covered Entities, even in the event of a public health emergency, of their following ongoing obligations:

To avoid disclosing an individual's PHI to the media or the public at large;
To make reasonable efforts to limit any authorized disclosures to PHI that is the "minimum necessary" to accomplish the purpose of the disclosure, except in the case of release for treatment purposes, where no such limit exists;
To apply their role-based access policies to limit access to PHI to only those workforce members who need it to carry out their duties;[i]
To implement reasonable safeguards to protect PHI against intentional and unintentional impermissible uses and disclosures; and
To apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.

Other Considerations

In addition to the considerations outlined above, physicians providers should ensure that they give consideration to the practical and operational issues that can arise with telehealth services, including:

Checking with their malpractice insurance carrier to ensure their policy covers providing care via telemedicine.
Checking with their EHR vendor to determine whether it includes a telehealth option. If so, making sure it's HIPAA compliant; determining what the pricing terms are; assessing what the storage capabilities are (these visits should be documented just the same as an in-person visit); and reviewing the termination provisions to ensure continuity of information and care.
Determining when, how, and the types of visits they are going to schedule telehealth visits.
Logistically, determining where the visits will be conducted and ensuring their privacy.
Adopting patient-facing telehealth policies and procedures so that they understand the process, including the execution of any telehealth consent required by state law and how to utilize the technology involved.

For more information, contact your Akerman healthcare attorney.

[1] As such, this publication is intended to inform clients and friends about legal developments and should not be construed as legal advice or legal opinion. Readers should not act upon the information contained in this update without seeking the advice of legal counsel, particularly given the current climate of constant change in legal authority associated with COVID-19.

[2] P.L. 116-123 (March 6, 2020).

[3] Id. at Section 102.

[4] Id.

[5] OIG, OIG Policy Statement Regarding Physicians and Other Practitioners that Reduce or Waive Amounts Owed by Federal Health Care Program Beneficiaries for Telehealth Services During the 2019 Novel Coronavirus (COVID-19) Outbreak (March 17, 2020), available at https://go.usa.gov/xdtXC (last accessed 3/19/2020). Typically, if providers routinely reduced or waived costs owed by Federal healthcare program beneficiaries, the Federal anti-kickback statute (AKS), civil monetary penalty and exclusion laws related to kickbacks, and civil monetary penalty law's prohibition on inducements to beneficiaries would be implicated. 42 U.S.C. §1320a-7b(b); §1320a-7(b)(7); §1320a-7a(a)(7); and §1320a-7a(a)(5).

[6] CMS, Medicaid State Plan Fee-for-Service Payments for Services Delivered Via Telehealth, available at https://www.medicaid.gov/medicaid/benefits/downloads/medicaid-telehealth-services.pdf (last accessed on 3/19/2020).

[7] If the rates or payment methodologies would be different from those furnished in a face-to-face setting, then a state must have an approved State plan payment methodology.

[8] Such ancillary costs would need to be part of an approved State plan payment methodology specifying ancillary costs and circumstances where payable.

[9] For example, the Georgia Department of Community Health ("DCH") issued Georgia Telemedicine Guidance on January 1, 2020. (See DCH, Telemedicine Guidance (1/1/2020), available at https://www.mmis.georgia.gov/portal/PubAccessProviderInformation/ProviderManuals/tabid/54/Default.aspx (last accessed 3/19/2020). To date, DCH has not made any changes to this Guidance, but we are monitoring it closely for any updates. See also LAC 50:I:505 (March 17, 2020)(providing for coverage of continued and expanded access to telemedicine for Medicaid recipients).

[10] E.g., the Georgia Department of Public Health has encouraged healthcare providers to "[c]onsider using telemedicine, nurse triage lines and other options to prevent people with mild illnesses from coming to clinics and emergency rooms." (GA DPH, COVID-19: Health Care Providers, Hospitals & Laboratories, Guidance for Health Care Professionals, available at https://dph.georgia.gov/covid-19-health-care-providers-hospitals-laboratories (last accessed on 3/19/2020).)

[11] CMS, COVID-19 Emergency Declaration Health Care Providers Fact Sheet, available at https://www.cms.gov/files/document/covid19-emergency-declaration-health-care-providers-fact-sheet.pdf (last accessed 3/19/2020).

[12] The Florida Surgeon General issued emergency order on March 16, 2020 permitting certain out-of-state licensed providers to provide services via telehealth for a period not to exceed 30 days unless extended by the state Surgeon General's order.

[13] See Georgia Composite Medical Board, GCMB Emergency Practice Permit/Temp License in Response to COVID-19 (March 16, 2020), available at https://medicalboard.georgia.gov/press-releases/2020-03-16/gcmb-emergency-practice-permittemp-license-response-covid-19 (last accessed 3/19/2020).

[14] See Governor DeWine Provides COVID-19 Update (March 14, 2020), available at https://governor.ohio.gov/wps/portal/gov/governor/media/news-and-media/covid-19-update-saturday-march-14 (last accessed 3/19/2020).

[15] E.g., the Georgia Composite Medical Board issued Ga. R & Regs. §360-3-.08 on March 19, 2020 allowing for electronic prescribing during the emergency.

[16] E.g., O.C.G.A §33-24-56.4.

[17] OCR, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html (last accessed 3/19/2020)(Other recommendations include: Review policies and procedures for infection prevention and mitigation and make sure all employees follow the appropriate steps; review guidance for the use of personal protective equipment (PPE); ask about travel history for patients presenting with respiratory illnesses; continue working closely with your local health department, DPH; and follow the CDC guidance).

[18] OCR, Office for Civil Rights, U.S. Department of Health and Human Services Bulletin: HIPAA Privacy and Novel Coronavirus (Feb. 2020) ("Bulletin"), available at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf (last accessed 3/19/2020).

[19] 45 CFR §§ 164.502(a)(1)(ii); 164.06(c), and 164.501.

[20] 45 CFR §§ 165.501; 164.512(b)(1)(i).

[21] 45 CFR § 164.512(b)(1)(i).

[22] 45 CFR § 164.512(b)(1)(iv).

[23] 45 CFR § 164.510(b). The Covered Entity should get verbal permission from the patient or be able to reasonably infer that the patient does not object, when possible. If the patient is incapacitated, unconscious, or unavailable, the provider may disclose PHI to family if in the Covered Entity's professional judgment, doing so is in the patient's best interest. Patient permission is not necessary to disclose PHI to a disaster relief organization if it would interfere with the organization's ability to respond to an emergency.

[24] 45 CFR § 164.512(j).

This publication is intended for educational purposes and should not be construed as legal advice or legal opinion. Readers should not act upon the information contained in this update without seeking the advice of legal counsel, particularly given the current climate of constant change in legal authority associated with COVID-19.