On March 17, 2020, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) made important announcements that should promote the use of telehealth for the duration of the Public Health Emergency relating to COVID-19, and reduce the need for individuals to leave their homes to travel to hospitals, clinics and doctors’ offices to receive health care.
The actions taken by OCR and CMS address the use of audio and video communication technology for real-time two-way interactions between an individual and a health care provider, generally referred to as “telehealth” or “telemedicine.” Telehealth has been recognized as important tool for delivering health care services to underserved areas and to individuals who cannot travel to receive care, but federal health care programs have so far offered only limited coverage.
While the COVID-19 emergency prompted OCR and CMS to take these actions, the new flexibility OCR and CMS announced will not be limited to health care services relating to COVID-19. For example, if a patient requires care related to an existing condition, the new, temporary flexibility should apply to those services as well as to COVID-19 testing and treatment.
Expanded Medicare Payment for Telehealth
Medicare is the U.S. federal government’s program to cover the cost of health care for individuals who are age 65 and older, have certain disabilities, or have end-stage renal disease. Medicare has heretofore covered telehealth only for a limited range of services provided to individuals located in rural areas, and then only when those individuals were present at certain types of health facilities, such as a hospital, doctor’s office, rural health clinic, skilled nursing facility, and so on. Moreover, Medicare would pay for telehealth services only when provided by a health care professional who had an existing relationship with the patient.
CMS on March 17 announced that, while the emergency to continues, Medicare will cover telehealth provided in a broader variety of settings, such as the patient’s home and or in another care setting such as a nursing home, and without regard for whether the patient is in a rural or urban area. Moreover, Medicare will cover telehealth services that the professional provides to new patients and not just those with which the professional has an existing relationship.
Waivers of Cost-Sharing
Generally, a health care provider violates Medicare’s rules regarding fraud, waste, and abuse if the provider routinely waives patient’s cost-sharing obligations, such as copayments and deductibles. CMS’s March 17 announcement stated that the Office of Inspector General (OIG) of the Department of Health & Human Services will temporarily be “providing flexibility” for health care providers to reduce or waive patient cost-sharing for telehealth visits paid for by Medicare without the risk of enforcement actions. Therefore, health care professionals caring for patients through telehealth need not collect copayments and deductibles from those patients.
Waiver of HIPAA Security Requirements
Under the HIPAA Security Rule, covered entities that choose to communicate with individuals electronically must offer a secure means to exchange protected health information. A number of commonly used video conferencing technologies may not meet HIPAA’s requirements for security, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, etc.
OCR announced on March 17 that it will not seek penalties upon health care providers that use certain non-compliant technologies to provide telehealth services to individuals during the emergency. This leniency will be limited to non-public facing technologies, and providers are directed not to use public facing technologies such as Facebook Live or TikTok. This change should allow health care providers to expand their use of telehealth by making it available through platforms that are accessible to their patients.
Waiver of Certain HIPAA Privacy Requirements
Under the HIPAA Privacy Rule, covered entities are required to have a business associate agreement (BAA) in each outside party that creates, receives, maintains, or transmits PHI in the performance of a function, service, or activity for or on behalf of the covered entity. A number of video conferencing technology providers refuse to enter into a BAA with covered entity customers, often because they know their technologies do not comply with the HIPAA Security Rule. OCR’s March 17 announcement included a statement that it will not seek penalties against health care providers who use non-public facing technologies in good faith without a business associate agreement during the emergency. At the same time, OCR encouraged covered entities to seek out technology providers who do offer HIPAA-compliant solutions.
These actions by CMS and OCR involve the application of a number of rules that are quite complex, and penalties for non-compliance can be severe. No provider should act on this news without careful analysis of how the temporary flexibility the federal government is offering will affect them.
If you have any questions about the content of this alert, please contact the Pillsbury attorney with whom you regularly work, or the authors below.
Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.