Practice Management Alert

If you’ve been leaning on telehealth, know what you need to do to remain compliant.

COVID-19 infections are still raging across the United States, despite vaccines and other available infection control and prevention measures. The public health emergency (PHE) was renewed Oct. 13, 2022, said Xavier Becerra, Secretary of Health and Human Services, but its eventual end will mean medical practices need to prepare for some major changes.

Keep reading to find out what to do now to prepare for the eventual end of COVID-19 waivers.

Know Your State Licensing Laws

The Centers for Medicare & Medicaid Services (CMS) waived some national requirements surrounding physician licensing and location for telehealth services during the PHE. Although commercial insurance carriers may have their own policies, many follow CMS’ lead.

During the PHE, CMS allowed practitioners to provide Medicare telehealth services from their homes without requiring them to enroll their home addresses with the program. While the PHE remains in effect, practitioners can bill these services from their currently enrolled location, such as their practice address. When the PHE ends, practitioners will need to add their home addresses if they plan to continue furnishing telehealth services from home.

Additionally, once the PHE ends, providers providers will need look to their respective state laws for information on whether they can continue to bill Medicare for services rendered outside of their state of enrollment.

Plus, watch your prescriptions. The Drug Enforcement Agency (DEA) adjusted some rules around controlled substances for the PHE, allowing authorized providers to prescribe certain medications to patients via telehealth without in-person medical evaluations. While the PHE continues, practitioners at hospitals or clinics not registered with the DEA can still prescribe a controlled substances to patients.

You can find a “decision tree” for telehealth prescription considerations here, www.deadiversion.usdoj.gov/GDP/(DEA-DC-023)(DEA075)Decision_Tree_ (Final)_33120_2007.pdf.

Understand HIPAA-Related Responsibilities

The CMS PHE waivers related to COVID-19 relaxed a lot of the compliance rules surrounding telehealth — but not necessarily the rules surrounding billing or payment for telehealth services. When the PHE ends, various payment rules may or may not still apply.

The Office for Civil Rights (OCR) released guidance for healthcare professionals to help them navigate Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.

OCR says that covered entities (CEs) need to put “reasonable safeguards” in place to keep patients’ protected health information (PHI) private in audio-only telehealth interactions, including seeking a private space for any conversations and lowering one’s voice if a fully private environment cannot be found. OCR notes that CEs need to confirm the patient’s identity either orally or through written means, while also complying with civil rights laws surrounding disability.

Remember this tip: The HIPAA Security Rule doesn’t apply to communications conducted via traditional landlines. OCR says, “a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses).” The telephone system the patient (or individual receiving the telehealth services) uses doesn’t matter, in terms of HIPAA. CEs aren’t “responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device,” according to OCR.

However, if your office provides telehealth services using smartphone communications apps, voice over internet protocol (VoIP), any technologies that record or transcribe, or messaging services that electronically store information, the HIPAA Security Rule applies.

Additionally, CEs don’t need to enter into business associate agreements (BAAs) with telephone service providers in situations where the telephone company is merely a conduit for the PHI and has only “transient” access, OCR says.

Prepare for Audits, Too

You may run up against Office for the Inspector General (OIG) audits looking at how your practice has conducted telehealth services during the pandemic.

One example: “They’re going to really look to see how many of you billed for audio-only services as an office visit, incorrectly,” says Terry Fletcher, BS, CPC, CCC, CEMC, SCP-CA, ACS-CA, CCS-P, CCS, CMSCS, CMCS, CMC, QMGC, QMCRC, owner of Terry Fletcher Consulting Inc. and consultant, auditor, educator, author, and podcaster at CodeCast, in Laguna Niguel, California.

Auditors will also be looking out for seemingly minor hiccups in telehealth, like whether a provider fails to code at least part of an encounter as “audio-only” if video is lost during the visit, Fletcher warns.

Make sure your practice has a plan for security and privacy of telehealth encounters, going forward, as well as coding and reporting accuracy.

See the article “Take Note Now of These OIG Work Plans Surrounding Telehealth” in the Volume 22, Number 2 issue of Practice Management Alert for more information on telehealth audits.