COVID-19 Brings CMS Expansion and HIPAA Modifications
Huge changes in HIPAA have just happened.
Telehealth has been enormously expanded and rules relaxed. It allows social distancing, provides for treatment of patients at home, lowers the number of patients seeking care in emergency rooms and urgent care centers, and protects health care workers.
We began writing about HIPAA and COVID-19 on March 3, reviewing the basic concept that HIPAA is not suspended during emergencies.
This is still true, but since then, the Office for Civil Rights (OCR) has issued multiple changes, with new guidance and FAQs to help navigate how to comply.
The Centers for Medicare & Medicaid Services (CMS) has expanded reimbursements for Medicare telehealth services to allow patients to receive care without having to travel to a healthcare facility.
A summary of all the recent waivers and modifications can be found in last week’s blog. But today the focus is telehealth.
CMS Expands Reimbursement for Telehealth
Before this waiver, Medicare limited reimbursements for telehealth to enrollees in underserved areas if they received telehealth services at a clinic, hospital or other medical facilities. They couldn’t receive telehealth services from home. Under the expansion, trips to the healthcare facility are no longer required.
Retroactive to March 6, 2020
Medicare can pay for office, hospital, and other visits furnished via telehealth nationwide, including for patients at home, starting March 6, 2020 and for the duration of the COVID-19 national emergency.
Telehealth Services Covered
Medicare will pay doctors and hospitals for a broad range of telehealth services on a temporary basis – Medicare telehealth visits, virtual check-ins and e-visits. And it works for all kinds of professionals: doctors, nurse practitioners, clinical psychologists and licensed clinical social workers.
Telehealth visits will be reimbursed “in all areas of the country in all settings” at the same rate as regular, in-person visits. And they require real-time communication between providers and patients using both audio and video.
- Medicare telehealth visits use telecommunication technology for office, hospital visits and other services that generally occur in-person.
- Virtual check-ins are brief communications between doctors and patients, such as text messaging. Providers can deliver virtual check-ins using a range of communications since they don’t require both audio and video capability. The CMS expects that patients will initiate most virtual check-ins by, for example, emailing their primary-care doctor.
- E-visits involve care delivered through a patient portal, which requires providers to have a preexisting relationship with a Medicare beneficiary.
The CMS Waivers
CMS has waived:
- the general policy that the physician must be licensed in the state where the patient is located at the time of treatment. States may request a waiver for Medicaid patients.
- the requirement that Medicare participating providers be enrolled in the State in which a patient is located, assuming they hold equivalent licensing in another State and are not affirmatively excluded from practice in a State.
- This temporary waiver applies not only to Medicare beneficiaries seeking counseling/treatment related to COVID-19, but to any medical service they need.
- A telephone that has both audio and video capability (e.g. a mobile phone) may now be deemed as meeting the requirements of “two-way real-time interactive communications” for purposes of telehealth.
- The OCR HIPAA waiver (discussed below) allows doctors to provide telehealth services with their personal phones and CMS will use enforcement discretion related to copays “so that cost won’t be a barrier.”
For more, see the CMS Medicare Telemedicine Fact sheet here.
OCR Relaxes HIPAA Requirements for Telehealth
OCR is suspending sanctions and penalties for violations related to telehealth services provided in good faith during this temporary COVID-19 emergency period. This applies to violations of the HIPAA Privacy, Security, and Breach Notification Rules. Note, the waivers apply to all providers but do not apply to HIPAA Rules in other areas of health care outside of telehealth during the emergency.
Key things to keep in mind:
- You may use an unsecure (unencrypted) platform for video/audio communication as long as it’s not “public-facing”.
- Get a Business Associate Agreement (BAA) with the telehealth app provider if you can, but the only ones that are providing Business Associate Agreements are encrypted, so you may need to proceed without a BAA, which is now permitted under the relaxed rules.
- If you are not using an encrypted telehealth app, OCR encourages you to inform patients of potential privacy risks from their use.
OCR Guidance on Acceptable Telehealth Platforms
Public-facing apps like TikTok, Facebook Live, Twitch, or a chat room like Slack are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
See OCR’s March 17 Notification of Enforcement Discretion for Telehealth During COVID-19 here.
See OCR’s March 20 FAQs on Telehealth and HIPAA during the COVID-19 here.
The HIPAA E-Tool® Stays Up-to-Date
If you’re using The HIPAA E-Tool® you’ll find new forms (customized to your organization), glossary terms, and references to help you navigate HIPAA compliance during the COVID-19 national emergency.
We’re answering questions from everyone, not just clients.
If you need help, email or call us.