COVID-19, Telehealth, and What to Expect Going Forward

• April 16, 2021

• Krystyna Monticello , Oscislawski LLC
• Helen Oscislawski , Oscislawski LLC

On January 31, 2020, then Department of Health and Human Services (HHS) Secretary Alex Azar declared a public health emergency for the United States to aid the nation’s health care community in responding to COVID-19.[1] The pandemic hit New Jersey suddenly, much like other states. On March 4, 2020, the first presumptive positive case of COVID-19 in New Jersey was announced.[2] What followed next was a wave of shutdowns aimed at “flattening the curve,” effectively crippling New Jersey and the Tri-State area. New Jersey, New York, and Pennsylvania schools began to close, followed by movie theaters, gyms, casinos, salons, the performing arts, and significant curfews on non-essential businesses.[3]

As the COVID-19 pandemic spread across the country, hospital admissions, emergency department visits, and medical office visits fell sharply largely due to concerns about spreading the virus, and elective surgeries and invasive procedures were postponed in many states.[4] The message conveyed at that time was that individuals should suspend in-person care for non-urgent or routine treatment. Providers scrambled to implement mechanisms to provide telehealth visits, or to increase existing telehealth capabilities in order to handle increased volume of patient requests.[5]

Although telehealth was hardly in its infancy, availability and coverage for telehealth visits varied greatly pre-COVID-19 at the state and federal level. For example, while New Jersey telehealth regulations more widely permitted and required reimbursement for the provision of telehealth services, Medicare policies allowed for telehealth services only in very limited rural settings and with site-related restrictions.

This briefing examines the temporary COVID-19 and public health emergency (PHE) waivers and enforcement discretion at the federal and state levels for the duration of the COVID-19 PHE, and some of the challenges and considerations moving forward with telehealth after their expiration.

Federal Telehealth

CMS Waivers, Enforcement Discretion, and Billing FAQs during the COVID-19 PHE

The Centers for Medicare & Medicaid Services (CMS) announced in March 2020 multiple waivers and changes allowing for flexibility in providing telehealth remote communications during the COVID-19 PHE.[6] Although CMS had somewhat expanded the scope of Medicare telehealth coverage prior to the beginning of the COVID-19 PHE, CMS reimbursement policies covered only certain telehealth services in designated rural areas that could not be provided to the patient at his or her home, with limited exceptions (such as some substance abuse services). CMS reimbursement policies also did not provide telehealth coverage for new/unestablished patient visits.

The March 2020 COVID-19 PHE waivers and other flexibilities from CMS allow for Medicare beneficiaries to receive telehealth services from their homes as well as any health care facility. In addition:

• The type of telehealth services was expanded to include evaluation and management (E&M) encounter visits, preventive health screenings, and mental health counseling, among others, with over 100 additional codes added as eligible for telehealth services;[7]
• The range of providers eligible to bill Medicare for such telehealth services was expanded to include clinical social workers and psychologists, occupational therapists, speech language pathologists and others (this has been made permanent in 2021);
• Telehealth services may be provided to Medicare beneficiaries across state lines, if providers can do so in compliance with applicable state licensing and other laws;
• Enforcement discretion is extended to Medicare’s “prior patient relationship” requirement, meaning a provider may generally provide certain telehealth services to new patients as well as established patients;
• Telehealth visits are paid for by Medicare at the same rate as if the visit were in person;
• General and direct supervision requirements are temporarily relaxed, and may be provided virtually through audio/video real-time communications technology; and
• Although most telehealth services must be furnished using telecommunications technology that has audio and video capabilities used for two-way, real-time interactive communication, limited telephone evaluation and management codes and certain counseling, behavioral health care, and educational services may be furnished using audio-only communications technology.

While small steps have been taken to make permanent the expanded authorization for the use of certain telehealth services, and, concomitantly, Medicare reimbursement[8] for such services, all waivers will expire at the end of the COVID-19 PHE. Many in Congress are now supporting permanently expanding telehealth before the window of opportunity has passed. To this end, bills like the Telehealth Expansion Act of 2021 (H.R.341) have been recently introduced, but as of the date of this article none have yet been enacted.[9]

HIPAA Privacy and Security Enforcement Discretion

In order to support the increased need for telehealth remote communications, the Office for Civil Rights (OCR) released a Notification of Enforcement Discretion in March 2020. The enforcement discretion was made effective immediately and will remain in effect for the duration of the COVID-19 PHE under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Pursuant to that guidance, OCR is currently waiving penalties for any HIPAA violations that arise from the good faith provision of telehealth communications, whether or not related to the provision of COVID-19 services.[10] Covered entity health care providers are temporarily permitted to use technology such as FaceTime, Facebook Messenger, Zoom, Skype, and other non-public forms of communication in order to provide services, even if the application being used is not compliant with HIPAA. Penalties will also be waived for a provider’s failure to have a business associate agreement (BAA) in place with any vendor that would be considered a business associate of the provider under HIPAA, as well as in the event of a breach that occurs as a result of use of such communication mechanism.

The enforcement discretion applies only to violations of the Privacy Rule, Security Rule, and Breach Notification Rule when providing telehealth services and does not apply to other areas of HIPAA, such as non-compliance with the prohibitions on marketing or sales of protected health information, or patient access rights. Public-facing applications such as Facebook Live, TikTok, Twitch, and similar forms of communications are also not permitted. The enforcement of applicable state data privacy and security laws would be subject to any temporary waivers or enforcement discretion granted by such state.

Although OCR may be exercising enforcement discretion, risks remain with the widespread and relatively swift adoption of telehealth services. Platforms such as Zoom’s free version have had identified security vulnerabilities in the past, and may remain vulnerable to hacking. Use of telehealth platforms also implicates the need for robust access controls (internal and patient-facing) as well as integrity controls, particularly if the telehealth platform collects and stores information about the patient and/or integrates with the provider’s electronic medical record system or patient portals. OCR encourages securing telehealth communications through available encryption and privacy modes provided by HIPAA compliant vendors pursuant to HIPAA BAAs. OCR also encourages providers to notify patients of the privacy risks that could be introduced by such third-party applications.

State Telehealth

After over a decade of slow progress, nearly all states had adopted at least some form of law governing telehealth when COVID-19 hit. Telehealth-related state laws address topics such as professional regulation (e.g., which types of licensed health care professionals can provide telehealth services to patients), and reimbursement by private health insurers and Medicaid. As expected, these laws vary from state to state. In the Fall of 2020, The National Telehealth Policy Resource Center of the Center for Connected Health Policy published its 50-state report, “State Telehealth Laws & Reimbursement Policies.”[11] Among other things, the report revealed limitations in many states with regard to reimbursable modalities (i.e., no payment for telephone consults), the types of reimbursable services, and location where a patient may receive telehealth treatment. As a result, executive action by governors and state agencies was necessary to overcome state barriers and meet an increase in demand for telehealth due to the pandemic.

According to data collected and maintained by The National Telehealth Policy Resource Center, all 50 states and the District of Columbia made at least some revision to their telehealth policies as a result of COVID-19.[12] Many states expanded the number of services that may be delivered through telehealth, like mental health counseling , which had largely been excluded. Adjustments were also made to the modalities by which such services may be delivered to include telephone consultations, and to address the emailing and faxing of information. Practitioner licensing requirements were also modified to allow for more expeditious cross-state licensing to address region-specific surges, as well as patients who traveled to other states to take up residence elsewhere, either temporarily or for an indeterminate period of time. Finally, changes were made to reimbursement policies to allow practitioners to bill for telehealth services not reimbursable in the past.

To illustrate just a few examples of such changes, Arkansas, Kansas, and Maine suspended their requirement that there first must be an in-person visit before a telehealth consultation could occur, instead allowing patient-provider relationship to be established via telehealth.[13] Louisiana expanded the types of licensed health care practitioners permitted to furnish telehealth services to include licensed counselors, psychologists, and clinical social workers.[14] New Jersey expanded its Medicaid reimbursement to include live video and remote patient monitoring under certain circumstances.[15]

Most of these state actions are temporary and expected to last for the duration of the nationally-declared PHE. However, this too may vary state-by-state. Most state governors have issued executive orders to declare a state of emergency for their states due to the pandemic. These orders typically have to be renewed by the governor on a regular basis (e.g., every 30-60 days) if, after assessing the circumstances of their particular state, it is determined that the state of emergency needs to continue.[16] Many of the waivers and adjustments to state telehealth policies are tied to the continuation of the respective state’s declaration of a state of emergency, and not to just the PHE. Therefore, providers will need to monitor the status of adjustments and waivers to telehealth policies in states where they are licensed and where they are providing cross-state telehealth services.

Telehealth After COVID-19

Providers must be prepared to move forward into a new world of telehealth service post COVID-19. As a light appears at the end of the tunnel with the roll-out of vaccines and plateauing rates of infection, providers can begin to assess the steps below to better position themselves to move forward with what will likely be the permanent provision of expanded telehealth services.

Medicare and State Law Considerations

• Identify and inventory all of the states in which the provider furnishes telehealth to patients, as well as states in which the provider has obtained temporary credentials.
• Inventory and document all forms and locations of telehealth remote communication currently in use by providers during the COVID-19 PHE and determine their appropriateness after the PHE ends.
• Evaluate continued qualifications for providers to provide telehealth services. Non-physician provider telehealth services, such as occupational therapists, clinical social workers, and clinical psychologists, have been made permanent by CMS in 2021, but whether such non-physician providers will remain eligible under state law to provide telehealth services after the COVID-19 PHE may vary.
• Identify, evaluate, and document any patient care for which telehealth would not be appropriate after the PHE ends (for Medicare) and after declarations of states of emergency expire for applicable states.
• Develop an inventory list of telehealth services currently billed against CMS permanent telehealth policy changes for 2021 under the Medicare Physician Fee Schedule,[17] applicable State Medicaid COVID-19 policies, as well as private health insurance COVID-19 policies.
• Assess form, content, and manner of patient consents (and include documentation of patient consent in the medical record) used to capture a patient’s willingness to use telehealth remote communications. Include language informing patients of the security risks inherent with telehealth remote communications.
• Assess direct and general physician supervision, if any, that is temporarily provided via telehealth for services that may be furnished and billed incident to a distant site physician/non-physician practitioner’s service under supervision of the billing provider through real-time, interactive audio and video technology. The Medicare supervision changes are temporary at this time, expiring on December 31, 2021, or, if later, the end of the calendar year in which the PHE ends.
• Monitor expirations of declarations of states of emergency, and be prepared to revert practices back to pre-COVID 19 standards if temporary suspensions to telehealth requirements for the applicable state are not made permanent through legislation or other administrative action.

HIPAA Privacy and Security Considerations

• Conduct a security risk assessment in order to evaluate the adoption or changes to telehealth remote communication platforms during the COVID-19 PHE and whether these platforms are appropriate for continued use after the COVID-19 PHE. This includes evaluating all available security mechanisms, such as end-to-end encryption, and all security risks and vulnerabilities, including whether the telehealth platform integrates with any provider electronic medical record systems or patient portals, current access controls, and whether providers have been providing telehealth services using their personal mobile devices and/or from unsecured locations.
• Determine whether vendors providing telehealth remote communication services are, in fact, HIPAA business associates of the provider. That is, does the vendor create, receive, transmit, or maintain protected health information for or on behalf of the provider? If so, ensure a business associate agreement is obtained prior to the end of the COVID-19 PHE.
• If communication mechanisms such as Facebook Messenger or Apple Facetime are currently being used, consider moving towards use of alternative mechanisms for conducting telehealth services. Although there is an argument that Facebook and Apple could be viewed as acting only as “conduits,” and are therefore not business associates subject to HIPAA, OCR does not specifically address these popular communication mechanisms as meeting the definition of “conduit” in the Notification of Enforcement Discretion or related FAQs, nor in any other HIPAA guidance. Hence, continued use of Facebook Messenger or Apple Facetime on the basis that they are mere “conduits” is risky both to the patient and the health care provider.

ARTICLE TAGS

• Hospitals and Health Systems Practice Group
• Coronavirus Pandemic Hub
• Health Information
• Patient Care Liability and Litigation