A New Normal: Preparing Compliance Programs for Changes to Federal Telehealth Policy in a Post-Pandemic World

The rapid growth of telehealth during the COVID-19 pandemic continued and expanded access to care for millions of patients. Despite telehealth’s success in promoting continuity of care amid stay-at-home orders and social distancing mandates, navigating the increased need for telehealth services has presented unique challenges for compliance programs. 

Although some telehealth flexibilities have become a permanent part of health care delivery, others will lapse 151 days following the expiration of the federal public health emergency, which will not occur before October and is not anticipated until the end of the year. Although the exact date is still unknown, compliance professionals must again prepare to adjust telehealth policies, as federal government scrutiny of telehealth for fraud, waste and abuse accelerates.

Background

Since the beginning of 2020, the United States has been under a public health emergency (PHE) as a result of COVID-19. The PHE enabled the Department of Health and Human Services to waive certain requirements to ease access to health care amid the pandemic, including rules that previously limited telehealth services in the Medicare program and other federal health care programs.

The Centers for Medicare and Medicaid Services (CMS) exercised its wavier authority in a number of ways. For example, in the Medicare program, telehealth waivers have allowed beneficiaries to receive coverage for telehealth services regardless of the beneficiary’s location or the technological platform used. Because of these flexibilities, beneficiaries can receive telehealth services from their homes through smartphones instead of at a health care facility through specific, expensive interactive audio and video technology. In 2020, over 90% of Medicare beneficiaries received telehealth services while at home, which was prohibited before the PHE waivers.

CMS also expanded the types of treatment providers could offer through telehealth. For example, the waivers permit providers who hold a U.S. Drug Enforcement Administration (DEA) license to prescribe controlled substances through telemedicine to patients without first conducting an in-person evaluation, so long as certain conditions are met. 

Waiving technology requirements raises potential privacy and security issues for protected (individually identifiable) health information, as well as provider compliance with the Health Insurance Portability and Accountability Act (HIPAA) when conducting telehealth services through smartphones. As such, the federal government also declared its intention to use its discretion in enforcing HIPAA noncompliance occurring in good faith during the PHE. Some state governments also relaxed patient informed consent requirements with respect to receiving telehealth services through certain platforms. This enforcement discretion at the federal and state level has allowed providers to deliver care through a broad range of devices and technology platforms during the PHE.

Despite the waivers and enforcement discretion, some telehealth enforcement activity has continued. Given the massive increase in telehealth use and access, perhaps this continued enforcement is not surprising. During the pandemic the government investigated those areas of telehealth that are ripe for abuse, such as aggressive marketing for fraudulent or misleading services, as well as Medicare claims submissions for telehealth services. The Biden Administration will continue to prioritize — and likely increase — enforcement aimed at detecting and preventing fraud, waste and abuse in telehealth after the PHE.

Beyond the PHE

With accelerated enforcement efforts, shifting federal guidance, variations in rules among states and the end of some telehealth waivers, compliance professionals will need to stay abreast of these changes and ensure that their organizational policies reflect post-PHE requirements. Several key areas in federal telehealth regulation for compliance programs to consider include, but are not limited to:

1. Restrictions on Location and Technological Platform

The telehealth waivers expanded the types of services Medicare covers, some of which will remain in place following the PHE. For example, the Consolidated Appropriations Act of 2021 permanently eliminated restrictions on telehealth for Medicare beneficiaries receiving telebehavioral services. The Act removed beneficiary location requirements for mental health and substance use disorder treatment, thereby allowing patients to access diagnostic, evaluation and treatment services at home. In addition, the Act permanently eliminated certain video requirements for such services to be covered by Medicare. Now and in the future, beneficiaries can receive telebehavioral services through audio-only communication.

It remains to be seen whether other existing waivers for telehealth services will also become permanent. Apart from telebehavioral care and a few other limited exceptions, compliance officers should be aware that Medicare restrictions relating to the locations in which telehealth services may be received, and the types of technological platform required for a telehealth visit may return. As the scope of Medicare-covered telehealth services shifts, compliance officers should implement billing, record retention policies and claims submission practices that align with Medicare requirements for such services.

2. Restrictions in Scope of Practice

Unless the federal government makes certain telehealth scope of practice flexibilities permanent once waivers lift, the type of care providers can offer through telehealth will become limited. For example, it is unclear whether the DEA will extend its waiver that grants providers the ability to prescribe controlled substances through telehealth without first conducting an in-person evaluation. Maintaining this practice capability has garnered legislative support. The Telehealth Extension and Evaluation Act — introduced in February 2022 — would extend Medicare’s reimbursement of telehealth visits in which providers prescribe controlled substances for two years following the PHE’s expiration. However, this extension would directly conflict with restrictions under the Ryan Haight Act, which were put into place to curb abusive online prescribing practices. Compliance officers should stay updated on federal legislation concerning scope of practice requirements, as well as state rules that may further limit the types of services providers can offer using telehealth.

3. Restrictions to Satisfy HIPAA

Existing enforcement flexibility with respect to HIPAA compliance among telehealth providers is set to end once the waivers expire. This expiration would make enforcement of more stringent privacy and security requirements on telehealth platforms used during the pandemic more likely and could require changes to a provider’s current informed consent practices.

Although Medicare does not mandate providers to obtain patient informed consent to telehealth services, each state has its own informed consent requirements, some of which are specific to telehealth. Regardless of whether informed consent is required, maintaining an informed consent policy applicable to telehealth helps communicate the potential security risks of telehealth to patients and is thus an important component of a telehealth compliance plan.

Compliance officers also should understand that certain platforms through which telehealth services currently are provided may not be in compliance with law after the waivers are removed. To that end, compliance officers should identify the telehealth platforms currently used by their organization’s providers and evaluate the privacy and security risks of such platforms. Compliance officers also should review changes to state privacy requirements, as some states might establish rules more stringent than federal law.

Recommendations for Compliance Programs

Compliance officers should review their organization’s compliance programs with the expiration of the PHE waivers in mind. Compliance programs should identify all telehealth practices currently being conducted by practitioners in their systems and catalog those services by modality (synchronous/asynchronous), technology platform (interactive audio/video/phone only), location of the patient (home/facility) and codes billed. Such an inventory will assist in identifying current practices that they may need to change when the PHE waivers expire.

It is more important than ever to have an active regulatory affairs program that is closely monitoring developments at the state and federal level, as well as changes in CMS sub-regulatory guidance that could impact the provision of services. The regulatory affairs program should communicate those changes in a timely and effective manner to the compliance officer, as well as to operators who need to anticipate and implement changes to current practices.

Conclusion

The COVID-19 pandemic accelerated the use of telehealth as a primary form of health care delivery. Although the expiration of the PHE signals an end to some telehealth flexibilities, telehealth will continue to play a vital role in providing care to patients beyond the COVID-19 pandemic. As use of this delivery of care method increases, so too will enforcement of noncompliance with applicable law, as well as fraud, waste and abuse. Compliance officers must remain equipped with the knowledge and understanding of the dynamic interplay between federal and state telehealth laws to design programs that comply with applicable requirements. A well-designed compliance program will empower providers to continue offering services to a broader patient population through this essential health care delivery method.