Telemedicine Update: COVID-19 Prompts Rapid Regulatory Changes

March 24, 2020

By Amie K. Alexander

As Arkansas begins its second full week of battling COVID-19, telemedicine has emerged as a major weapon in fighting the pandemic. Last week, both the federal and state government issued notices of significant regulatory flexibility for telehealth services in hopes that health care providers can treat a higher number of patients and reduce the spread of COVID-19 by keeping more sick or high-risk patients at home. 

OCR Relaxes HIPAA Penalties for Good-Faith Provision of Telemedicine Services Utilizing Everyday Communications Technologies

On March 17, 2020, The HHS Office for Civil Rights (OCR), which enforces certain privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), announced that it will loosen regulatory restrictions for healthcare providers serving patients through telehealth. Specifically, OCR will exercise enforcement discretion and waive penalties for certain HIPAA violations against healthcare providers that serve patients in good faith through everyday communications technologies such as Apple FaceTime or Skype during the COVID-19 nationwide public health emergency. 

 Current regulations require providers to ensure that the technology platform used to provide telehealth services complies with stringent security standards under the HIPAA Security Rule. Additionally, many of these arrangements require the health care provider to enter into a Business Associate Agreement (BBA) with the technology platform. 

Under this notice, OCR will not impose penalties against covered health care providers for not having a Business Associate Agreement with video communication vendors or other noncompliance with HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. Importantly, this discretion is limited to utilizing non-public facing audio and video products. 

 Where possible, providers should make every effort to utilize HIPAA compliant technology platforms and enter into a BAA with the vendor. It is critical to note that this relaxation is both temporary and discretionary, and can change at any time. 

Medicare to expand Telehealth Visit Coverage 

The Centers for Medicare and Medicaid Services (CMS) announced it will temporarily waive current location limitations for Medicare patients to receive telehealth services. Under current regulations, Medicare only covers telehealth visits for beneficiaries in rural areas and at qualifying locations (such as a physician’s office). For the active period of the Public Health Emergency declared on January 31, 2020, Medicare will allow beneficiaries in all areas of the country to receive telehealth services at their home. 

Medicare Telehealth Visits 

Medicare patients may use telecommunication technology for office, hospital visits and other services that generally occur in person. The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site (where the provider is located) and the patient at home.

These visits are generally covered at the same rate as regular, in-person visits. Medicare coinsurance and deductible would generally apply to these services. The OIG announced it will be providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs during the national emergency in certain limited circumstances, which are outlined here. 

Additionally, CMS will not enforce its standard established relationship requirement for telehealth visits. Current regulations require that the patient have a prior established relationship with a particular practitioner; however, HHS announced it will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency. Note that Arkansas law does have an established relationship requirement, which has not changed in light of the public health emergency. Providers should carefully comply with procedures for establishing a patient relationship set forth by the Arkansas Telemedicine Act and Arkansas Medial Board Regulations. 

Other Telehealth Services 

CMS emphasized that it currently pays for other telehealth services that providers should utilize as an important tool in the coming weeks and months. These services are not limited by patient location, and general rules for coinsurance and patient deductibles continue to apply. These services do require a prior established relationship, which will continue to be enforced for these services. 

Virtual check-in services are currently covered by Medicare. Providers may educate beneficiaries about the availability of the service, but patients will need to consent to receive virtual check-in services. Virtual check-ins can be conducted with a broader range of communication methods than Telehealth visits. Patients can also communicate with their providers without going to the provider’s office but by using an online patient portal, which providers can bill as E-Visits. E-Visits are also limited to established relationships.

Arkansas Medicaid to Expand Telehealth Coverage 

Following suit, Arkansas Medicaid issued notice that it would provide payment for telehealth services utilizing “real-time” technology, including telephone in certain circumstances. Arkansas Medicaid also announced it would add “virtual patient check-ins,” which may be used where an office visit code is not appropriate (for example, a telephone consult to determine if an office visit is necessary) (See March 18, 2020 Memorandum (DMS-01)). The virtual check-in must be provided by a clinician who can otherwise bill for services. Documentation levels and other requirements remain unchanged. Arkansas Medicaid is working with other carriers to follow suit. 

Under general payment policies, a provider and patient must have an established relationship before utilizing telemedicine. This requirement has been temporarily lifted. Arkansas Medicaid has also temporarily suspended its originating site requirements for providers and certain behavioral health providers to provide certain counseling services via telehealth technology (See March 18, 2020 Memorandum (DMS-01) and Memorandum (DMS-02))

State and Federal Telemedicine Law Still Intact 

The Arkansas Telemedicine Act and regulations put in place by the Arkansas Medical Board, such as requirements for an established relationship and informed consent, remain unchanged. In general, a healthcare provider must have a previously established patient/provider relationship. This relationship exists where, at a minimum, the provider performs an “in person” physical examination of the patient adequate to establish a diagnosis and identify underlying conditions and/or contraindications to the treatment recommended/provided (See Ark. Code Ann. § 17-80-402). However, the Arkansas Medical Board has provided that this relationship may be established using telecommunication technology where the provider performs a face to face examination using real time audio and visual telemedicine technology that provides information at least equal to such information that would have been obtained by an in-person examination (See Arkansas Medical Board Regulation 2.8). An important limitation is that telemedicine may only be used to establish a professional relationship for situations where the standard of care does not require an in-person encounter (See Ark. Code Ann. § 17-80-403). 

Critical Steps for Providers

Though many regulations have been relaxed to increase the utilization of telemedicine during the span of the COVID-19 public health emergency, providers should remember to exercise caution in doing so. These regulatory changes are both discretionary and temporary. Even while these updates remain in place only for the duration of the public health emergency, telemedicine is here to stay. Many arrangements will require a detailed written agreement to ensure compliance with complex regulatory issues such as CMS Telemedicine Rules for hospital credentialing purposes, fraud and abuse law compliance, and corporate practice of medicine issues. 

Providers should evaluate their current telemedicine practices and develop a plan to utilize this critical tool moving forward. Such considerations include: 

  • Do you currently have a Telemedicine Policy? 
  • Do you currently have a Consent to Participate in Telehealth Services? 
  • Assess whether a Telemedicine Agreement may be necessary. 

If you have these materials already, you’re one step ahead! Make sure to work with counsel to review and revise them if necessary to comply with current law and practice. If not, this is the critical time to put the building blocks in place for a service that will undoubtedly become the future standard.

Amie K. Alexander's practice is focused in the area of healthcare where she works primarily on various corporate and compliance matters. She drafts and reviews policies to ensure compliance with federal healthcare regulations such as HIPAA, Stark I and Stark II, Anti-Kickback and Medicare/Medicaid reimbursement.

Disclaimer: The information included here is provided for general informational purposes only and should not be a substitute for legal advice nor is it intended to be a substitute for legal counsel. For more information or if you have further questions, please contact one of our Attorneys.