In response to the COVID-19 national emergency, the federal government has put forth temporary waivers to certain HIPAA and Medicare requirements to promote the use of telehealth. These waivers provide an opportunity for health care providers to start or expand their telehealth service offerings to patients. Here are a few key takeaways from these waivers that are described in detail below:

  • Medicare: During the COVID-19 national emergency, Medicare will pay for telehealth services without regard to where the patient is located. The patient could even be located inside his or her home during a telehealth session.
  • HIPAA: During the COVID-19 national emergency, providers can provide, without the threat of penalties from the Office of Civil Rights, telehealth services through common video conferencing vendors (e.g. FaceTime, Skype, etc.) who may not comply with HIPAA requirements.
  • Next Steps: If a provider wants to start or expand telehealth service offerings to patients, it is important to be mindful of the various legal issues described below, including appropriate licensure, informed consent, and payor reimbursement.

Expansion of Telehealth Reimbursement under Medicare

Starting on March 6, 2020 and continuing for the duration of the COVID-19 national emergency, Medicare will pay for professional telehealth services furnished to Medicare patients without regard to where the patient is located. A patient can receive telehealth services in any part of the country and from any location, including the patient’s home. This is a significant change from prior Medicare telehealth billing requirements, which required patients to be located within a designated rural area and to receive telehealth services only in certain types of medical facilities.

Medicare will pay for telehealth services under the Physician Fee Schedule at the same amount as in-person services. Patients are still subject to Medicare deductibles and coinsurance, but the waiver allows providers to reduce or waive cost-sharing requirements for telehealth services paid by Medicare.

To ensure that telehealth services qualify for Medicare reimbursement, the patient and provider must communicate with each other using an interactive audio and video telecommunications system that permits real-time communication between the “distant site” (where the provider is located) and the “originating site” (where the patient is located). Services such as Zoom, FaceTime, and Skype satisfy this requirement.

Medicare continues to restrict the types of “distant site” providers that may engage in telehealth services to: licensed physicians, nurse practitioners, physician assistants, nurse midwives, certified nurse anesthetists, clinical psychologists, clinical social workers, registered dietitians, and nutrition professionals. Unfortunately, the list of professionals has not been broadened to include other licensees, such as mental health counselors and marriage and family therapists. As discussed below, Medicaid and some private commercial payors do not have these same licensure restrictions.

Changes to HIPAA Telehealth Requirements

To encourage the use of telehealth technology, the Office of Civil Rights (OCR) will, during the COVID-19 national emergency, waive HIPAA penalties against health care providers related to the good faith provision of telehealth services to patients through common video communication technology such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype. As described above, Medicare will pay for telehealth services provided via such systems if they permit real-time audio and video communication. However, OCR emphasizes that “public facing” video communication applications such as Facebook Live, Twitch, and TikTok may not be used by providers to render telehealth services to patients.

Prior to the OCR’s waiver, providers faced HIPAA compliance issues in using popular video conferencing technology to provide telehealth services to patients. Many video conferencing technology vendors will not represent that they comply with HIPAA security safeguards and refuse to sign a HIPAA business associate agreement (BAA).

Under the waiver, OCR states that it will not impose penalties against providers for the lack of a BAA with a video conferencing vendor or for noncompliance with HIPAA privacy or security requirements related to the good faith provision of telehealth during the COVID-19 national emergency. OCR does, however, encourage providers to notify patients that the use of video conferencing applications could cause risks to the privacy of patient information. OCR also emphasizes that providers should also use any encryption technology if it is available with the video conferencing application.

Although OCR will not penalize providers who lack a BAA with telehealth technology vendors during the COVID-19 national emergency, OCR acknowledges that providers may want to enter into BAAs with vendors to ensure that the vendors take HIPAA requirements seriously. Despite the OCR’s waiver of penalties, patients could still file a lawsuit against a provider related to a security or privacy breach, so entering into a BAA with a telehealth vendor can be an important risk management strategy. To assist providers, OCR included a list of telehealth technology vendors who represent that they will enter into a BAA with providers:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet

It is important to note that substance abuse providers who are subject to the confidentiality requirements of 42 CFR Part 2 need to continue entering into “Qualified Service Organization (QSO)” contracts with telehealth vendors. SAMHSA, the agency that oversees 42 CFR Part 2, has not issued waivers to 42 CFR Part 2 QSO requirements.

Next Steps

The waivers to the Medicare and HIPAA requirements related to telehealth should be welcomed by health care providers. The waivers provide an opportunity for providers to continue treating their patients while limiting potential exposure to the novel coronavirus.

If you, as a Washington State healthcare provider, want to start providing telehealth services to patients, or if you are already providing telehealth services to patients, here are few concepts to consider:

  • Free Telehealth Technology: To encourage the use of telehealth, the Washington State Health Care Authority is providing a certain number of licenses to the Zoom video conferencing service at no charge. Information on applying for one of these licenses is located here: https://www.hca.wa.gov/billers-providers-partners/prior-authorization-claims-and-billing/request-zoom-license-connect. It appears that HCA is intending that these licenses be used by small providers.
  • Licensure: Under Washington State Medical Commission guidelines, a provider using telehealth to practice medicine on Washington State patients must be licensed to practice medicine in Washington. For example, a provider licensed in Oregon cannot provide telehealth services to a patient located in Washington. Similarly, a provider licensed in Washington cannot provide telehealth services to a patient located in Oregon. However, a Washington provider may render telehealth services to a patient located outside of Washington if the patient has already met in-person with the provider, and the telehealth services are limited to clarification, advice, or follow-up related to the in-person visit.

Exception: During the COVID-19 emergency, the Washington State Department of Health (“DOH”) has stated that a health care entity in Washington State (e.g. hospital) may offer telehealth services to Washington patients that are provided by out-of-state providers employed by the entity if: (1) the providers do not have a pre-existing employment relationship with the entity, and (2) complete the application to register as an Emergency Volunteer Health Practitioner with the DOH. More information about this process is here:

https://www.doh.wa.gov/Emergencies/NovelCoronavirusOutbreak2020/HealthcareProviders/EmergencyVolunteerHealthPractitioners.

  • HIPAA Requirements: As stated above, OCR is encouraging the use of telehealth services even if a BAA may not be in place between the provider and telehealth vendor. However, providers should still consider asking vendors to sign BAAs for risk management purposes because they contain important protections for patient information. Providers should also try to provide a HIPAA Notice of Privacy Practices (“NPP”) to new telehealth patients that the provider has not seen in-person. But, as described above, OCR will not penalize providers for failing to comply with HIPAA requirements such as providing an NPP to a telehealth patient during the COVID-19 national emergency.
  • Informed Consent: Prior to rendering telehealth services to a patient, a provider should obtain the patient’s written informed consent to the telehealth services. An informed consent form should describe the services to be rendered, the anticipated results and benefits of the services, the risks related to the services, and any alternatives to the telehealth services. For the sake of efficiency, providers can ask patients to send a signed copy of the form via email (e.g. patient takes a picture of the form and then emails it with a smartphone) or via fax. Providers can also have patients sign the form via an electronic signature platform, such as Docusign.
  • New Patients: If a provider is seeing a new patient via telehealth, the provider should ensure that, in addition to an informed consent form, the patient completes the intake paperwork that new in-person patients must complete. The paperwork should include a demographic form where the patient provides contact information and a description of his or her medical problem, a financial agreement that describes the provider’s payment policies, and, as described above, an NPP. Similar to the informed consent form, patients can submit the completed paperwork to providers electronically.
  • Health Insurance Other Than Medicare: The Medicare waiver does not apply to telehealth services provided to beneficiaries of Medicaid or commercial health insurance. However, the Washington State Medicaid program will cover telehealth services delivered by any provider licensed in Washington State that are: (1) within the provider’s scope of practice, and (2) provided via HIPAA-compliant, interactive, real-time audio and video telecommunications (including web- based applications). Based on the OCR’s HIPAA enforcement waiver, these systems appear to include common videoconferencing systems like Apple FaceTime, Zoom, and Skype.

Similar to the Medicare waiver, Washington State law requires Medicaid and all commercial insurers to reimburse any licensed Washington health care provider for medically necessary telehealth services without regard to where the patient is located (e.g. patient’s home). However, commercial insurers have different coverage policies related to telehealth, so it is important for providers to verify coverage requirements with each of their contracted insurers.

The Medicare and HIPAA waivers provide important opportunities for providers to utilize telehealth services during the COVID-19 national emergency. Please reach out to Casey Moriarty at 206-447-7000 if you have any questions.

To see more COVID-19 updates, visit our COVID-19 Info Hub.

Practices & Industries

Health Law

Digital Health