Skip to Main Content
July 23, 2021

Health Law Weekly

Ramping Up for Surveys, Audits, and Investigations: What to Expect from State and Federal Regulators after COVID-19

  • July 23, 2021
  • Shalyn S. McKitt , Balch & Bingham LLP
  • John Wilson Booth , Balch & Bingham LLP
  • Caroline Toman , Balch & Bingham LLP

COVID-19 drastically impacted the provision of health care in America, and chief among these changes was the seeming disappearance of government regulation. Naturally, stay-at-home orders and the need to focus on the global health crisis lowered the priority of conducting routine surveys, audits, and investigations. But now with states reopening, government staff will surely be returning to their regularly scheduled business. This article will analyze the changes that have occurred since the emergence of COVID-19 and inform providers, suppliers, and health systems of what to expect from the Centers for Medicare & Medicaid Services (CMS), state Medicaid agencies, and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the near future.

Medicare and Medicaid During COVID-19

On January 21, 2020, the Secretary of HHS announced an official Public Health Emergency. Less than two months later on March 4, 2020, CMS suspended non-emergency survey activities in order to prioritize infection control and “immediate jeopardy situations.” CMS directed its focus towards the most serious health and safety threats and gave health care providers and suppliers time to respond to pandemic-related concerns. CMS also limited the remaining survey activity to a few categories including complaints alleging infection control concerns, surveys required by statute, and surveys of facilities with a history of infection control deficiencies.

Once the President declared a national emergency on March 13, 2020, the Secretary of HHS began permitting waivers and modifications of survey and audit requirements pursuant to Section 1135 of the Social Security Act. On March 20, 2020, CMS issued another memorandum that included a focused infection control survey and restrictions on health care facility visitations.

Several months later, CMS issued guidance for the limited resumption of routine survey activities and initiated a performance-based funding requirement tied to supplemental grants from the Coronavirus Aid, Relief and Economic Security (CARES) Act. In August 2020, CMS announced the resumption of all routine inspections of Medicare and Medicaid certified providers and suppliers, non-immediate jeopardy complaint surveys, and annual recertification surveys; and offered additional guidance to state survey agencies on resolving enforcement cases and the re-prioritization of survey activities.

However, even these guidelines were impacted by state laws concerning gatherings in public and employers’ policies of allowing their employees to work remotely. State agencies tasked with conducting Medicare surveys and Medicaid audits were not fully operational during COVID-19. [1]This decrease in operation, in turn, likely resulted in fewer state reviews during the pandemic. In ongoing efforts to ensure providers have the resources necessary to respond to the spread of COVID-19, CMS issued a policy memorandum in January of this year outlining expectations for states to contact their CMS Survey Operations Group when their health care facilities implement “Crisis Standards of Care.”[2]

Information Privacy During COVID-19

On December 18, 2020, OCR issued guidelines for covered entities “to use health information exchanges (HIEs) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).”[3] OCR also released general guidelines for doctors and hospitals on how to provide telemedicine services in compliance with HIPAA.[4] The guidelines became effective on January 20, 2021, and have no expiration date.[5] These guidelines provide a general rule for what video communication technologies comply with HIPAA and they apply to telemedicine services “provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”[6] Although motivated by COVID-19, the guidelines were broadly intended to generally improve public health.[7]

During the pandemic, the general rule for telemedicine was that “OCR [would] exercise its enforcement discretion and [would] not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”[8] This “good faith rule” is imperative for covered entities to follow when providing telemedicine services. The technological medium of communication for telemedicine must satisfy the good faith rule. Specifically, the technology used for telemedicine must be “non-public facing remote communication” technology.[9] Non-public facing remote communication technology is that which is designed and intended to “allow only the intended parties to participate in the communication.”[10] Such platforms are characterized by end-to-end encryption, individual user accounts, logins, and passcodes.[11] These characteristics all help to ensure the communications made during telemedicine appointments are limited to the health practitioner and patient.

The global shift to electronic and software solutions may have been necessitated by the pandemic, but is likely here to stay for the foreseeable future.

10 Tips for Moving Forward

So what should providers do now? With states reopening, CMS and state survey agencies are getting back to business, and OCR can more readily investigate complaints. In anticipation of this increased activity, providers should consider the following tips:

  1. Inquire about your next scheduled survey

CMS recently issued guidance suggesting that providers communicate with auditors and surveyors if they do not have the bandwidth to respond to audits or submit documentation on time.[12] Providers should remain in constant communication with audit vendors if they are experiencing delays in responding to audits or hope to make such requests. This communication starts with calling the applicable state survey agency or audit vendor and confirming when your next scheduled audit or survey will take place.

  1. Reevaluate Medical Necessity if you are an IRF

Even after COVID-19, Inpatient Rehab Facilities (IRFs) remain subject to some of the strictest documentation requirements.[13] Recently, audits of IRFs have focused largely on pre-pandemic claims activity. Thus, IRFs should make sure that claims made before COVID-19 meet both the medical necessity requirements and CMS requirements for payment of claims.

  1. Create a COVID-19 specific coding procedure

Industry consultants predict that audits of accurate diagnosis coding and appropriate use of waivers and COVID-19 relief funds will likely begin soon.[14] Thus, providers must distinguish between an active COVID-19 illness and an illness due to a history of COVID-19.[15] Due to the large amount of funding and number of COVID-19 related waivers available in the past year, providers must ensure they are documenting the use of all funds and applications appropriately.

  1. Check your existing revenue streams

During the pandemic, the HHS Office of Inspector General (OIG) largely prioritized the distribution of the Paycheck Protection Program and fraudulent products marketed to consumers and investors in 2020. This year it is prioritizing enforcement of the Provider Relief Fund (PRF).[16] The OIG has announced an audit targeted at providers’ compliance with use-of-funds reporting requirements related to the PRF.[17] Providers who made use of the PRF during the pandemic should therefore check how they used those funds and correct any issues with the OIG immediately.

  1. Apply for new laboratory certificates

In November 2020, CMS announced it would extend the expiration of laboratory certificates so that none could expire before a proper survey took place. Further, because providers face varying availability of surveyors, CMS provided an option for state agencies to conduct remote Clinical Laboratory Improvement Amendments (CLIA) surveys on laboratories with compliance histories meeting certain criteria.[18] If providers run CLIA certified facilities, it is time to renew those certificates as soon as possible.

  1. Reassess opioid use and disbursement

Any provider involved in the opioid supply chain remains subject to extra scrutiny by various OIG enforcement efforts.[19] The OIG pointed out that the pandemic likely contributed to an increase in overdoses and identified prescribers who ordered opioids for a large number of patients.[20] In fact, provisional data published by the Centers for Disease Control and Prevention suggests more opioid overdoses occurred in 2020 than ever before.[21] Therefore, if a provider disburses or prescribes opioids, it is imperative to reconsider the amount placed in the market.

  1. Stick to the “two-midnight” rule

An ongoing challenge for providers is the “two-midnight rule” for inpatient admissions in hospitals. Overpayment assessments considering the medical necessity of inpatient services will be under the microscope in the coming months because, in November 2020, the OIG called for CMS to continue its oversight of this rule.[22] Therefore, providers must consider drafting policies and procedures that emphasize the importance of this rule to their staffs.

  1. Review your telehealth policies and procedures

Now that telemedicine is commonplace, providers must ensure their telehealth services are compliant with OCR regulations. To comply with HIPAA, telemedicine must be conducted using proper technology, and in the proper location. Hospitals and care providers should ensure that (1) doctors use private locations and (2) patients are not in public or semi-public settings during telemedicine appointments. OCR also provided guidance for HIPAA compliance if, during a telemedicine appointment, either a provider cannot use a private location or a patient must be in public. In such situations, OCR recommends that covered health care providers implement “reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI).”[23] Those reasonable safeguards could be as simple as “using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.”[24] Providers should ensure that their policies and procedures clearly train staff on these requirements now that OCR will have more ability to investigate questionable telemedicine practices.

  1. Enter into a Business Associate Agreement for extra protection

OCR encourages health care facilities to enter into business associate agreements (BAAs) with video communication providers for additional privacy protection.[25] OCR has provided a list of such providers of video communication products that satisfy the good faith rule and have indicated that they will enter into a BAA.[26] Even though the good faith rule may eventually fade away, providers can rely on the fact that OCR has supported arrangements with these providers for the provision of telemedicine services in the future.

  1. Learn the new disclosure guidelines

COVID-19 necessitated the need for disclosure of PHI so government agencies could calculate and confront the spread of the virus. When this need subsides, providers will need to be thoughtful of when disclosure of PHI is appropriate. For now, providers should stay cognizant of when disclosure is required by law, when it discloses PHI to an HIE, and when disclosure is necessary for a public health activity.[27]


While these ten tips aren’t an exhaustive list of issues providers should expect to face in the near future, recent trends suggest that these issues are some of the most likely to change as the country reopens. Providers should consider conducting a risk assessment to determine whether any of these issues will apply to them.


Shalyn S. McKitt is an Associate at Associate Balch & Bingham LLP. Shalyn is an experienced litigator with a diverse background representing clients in matters concerning health law, employment law, governmental affairs and administrative law, and regulatory matters. As a previous litigator for a state government and the federal government, Shalyn gained extensive courtroom experience with complex health care issues and a deep understanding for the intricacies of litigation in federal and state courts. Immediately prior to joining Balch, Shalyn worked in-house as Senior Legal Counsel for a health care technology company.

Caroline Toman is a 2021 Summer Associate at Balch & Bingham LLP’s Birmingham office. She is a rising second-year student at Harvard Law School interested in the intersection between the administrative state and healthcare law.

John Wilson Booth is a 2021 Summer Associate at Balch & Bingham LLP’s Birmingham office. He is a JD candidate at the University of Alabama School of Law, Class of 2022, where he serves both as the Acquisitions Editor for Alabama Law Review and as a research assistant for J. Shahar Dillbary. After graduation, he will be clerking for the Honorable L. Scott Coogler, Chief Judge of the Northern District of Alabama.


[1] David Wright, Cntrs. Medicare & Medicaid Servs., Suspension of Survey Activities (Mar. 4, 2020),

[2] Karen Tritz & David Wright, U.S. Dep’t Health & Hum. Servs., Cntrs. Medicare & Medicaid Serv., Hospital Survey Priorities (last revised Feb. 18, 2021),

[3] U.S. Dep’t Health & Hum. Servs., Off. Civ. Rts., OCR Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes (Dec. 18, 2020),

[4] U.S. Dep’t Health & Hum. Servs., Off. Civ. Rts , Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Jan. 20, 2021),

[5] Id.

[6] Id.

[7] Id. (quoting OCR Director Roger Severino, saying "OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency.").

[8] Id. (emphasis added).

[9] Id.

[10] U.S. Dep’t Health & Hum. Servs., Off. Civ. Rts., What is a "Non-public Facing" Remote Communication Product? (Apr. 10, 2020),

[11] Id.

[12] David Wright, Cntrs. Medicare & Medicaid Servs., Enforcement Cases Held during the Prioritization Period and Revised Survey Prioritization (Aug. 17, 2020),

[13] See American Health Law Association: New, But Not Normal—Audits, Surveys and Enforcements in 2021 (May 25, 2021),

[14] Id.

[15] See Id.

[16] U.S. Dep’t Health & Hum. Servs., Off. Inspector Gen., Audit of HRSA's Controls Over Medicare Providers' Compliance with the Attestation, Submitted-Revenue-Information, and Quarterly Use-of-Funds Reporting Requirements Related to the $50 Billion General Distribution of the Provider Relief Fund (Oct. 2020),

[17] Id.

[18] U.S. Dep’t Health & Hum. Servs., Cntrs. Medicare & Medicaid Servs., Clinical Laboratory Improvement Amendments of 1988 (CLIA) CMS Locations & State Agency Remote Survey Guidance (Jan. 8, 2021),

[19] U.S. Dep’t Health & Hum. Servs., Off. Inspector Gen., Year-end Review of Opioid Use in Medicare Part D (Mar. 2021),

[20] Id.

[21] Cntrs. Disease Control & Prevention, Nat’l Cntr. Health Stat., Provisional Drug Overdose Death Counts (July 14, 2021),

[22] U.S. Dep’t Health & Hum. Servs., Off. Inspector Gen., CMS Oversight of the Two-Midnight Rule for Inpatient Admissions (Nov. 2020),

[23] Id.

[24] Id.

[25] Supra, note 1.

[26] U.S. Dep’t Health & Hum. Servs., Off. Civ. Rts., Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Jan. 20, 2021), These providers are:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

[27] U.S. Dep’t Health & Hum. Servs., Off. Civ. Rts., HIPAA, HIEs, & Disclosures of PHI for Public Health Purposes (Dec. 18, 2020),