Telehealth compliance is a balance of increasing access to care and protecting patients, while also adopting annual regulation changes.
Telehealth visits skyrocketed in 2020 and usage remains 38 times higher than pre-pandemic levels. Both physicians and patients enjoy the flexibility telehealth offers, which was expanded during the pandemic to increase accessibility. These leniencies allowed for:
- More services. Reimbursement inclusion for a wide variety of services previously such as initial inpatient visits, home visits, initial nursing facility visits, and more.
- More providers. Doctors, nurse practitioners, clinical psychologists, licensed clinical social workers and others were able to offer specific telehealth services, even across state lines with fewer licensing hoops.
- More settings. Increased locations including a physician office, hospital, nursing home, or rural health clinic – in addition to a provider’s home.
- More opportunities. Easier ways for patients and providers to communicate without fear of penalty for violations of the HIPAA Privacy, Security, and Breach Notification Rules.
Regulatory agencies are continuously reviewing pandemic-era flexibilities, determining which should remain and which should be rolled back. This article provides an overview of telehealth compliance changes for professionals, along with resources to help you prepare.
Post-Pandemic Telehealth Compliance Changes
Telehealth compliance regulations will not return exactly as they were prior to the pandemic. Some regulations have been eliminated, some leniencies extended, and new regulations are coming. Here are important dates related to telehealth compliance changes:
- May 11, 2023: End of the Public Health Emergence (PHE)
- August 9, 2023: The Office for Civil Rights (OCR) transition period ends
- October 9, 2023: The 151-day telehealth extensions end
- January 1, 2024: CMS’s calendar year (CY) 2024 telehealth codes go into effect
- December 31, 2024: The flexibilities afforded by the Consolidated Appropriations Act (CAA) extension end
- December 31, 2024: CMS’s CY 2024 telehealth codes end
- January 1, 2025: CMS’s CY 2024 telehealth codes go into effect
Telehealth Compliance and HIPAA Rules
The Health Insurance Portability and Accountability Act (HIPAA) exists to provide regulations and best practices for sharing sensitive healthcare data. In 2020, telehealth compliance with HIPAA regulations was loosened considerably by HHS, permitting healthcare providers across the country to use communication services without the risk of violating HIPAA rules for the good faith provision of telehealth services. This flexibility is granted only during the PHE, after which the regular standards will revert back to normal.
According to the National Consortium of Telehealth Resource Centers, these are some of the most common violations to be aware of:
- Having phone conversations with patients in a public space or on speakerphone
- Initiating telehealth visits with patients using shared devices
- Communicating health information with patients using unencrypted email
- Texting with patients using consumer messaging apps
- Conducting telehealth visits with patients on mobile devices over VOIP or a public wi-fi network
- Having no mechanism for verifying patient identity and/or portal account login
- Conducting telehealth visits using unencrypted consumer video platforms
- Conducting telehealth visits on a telehealth platform without a Business Associates Agreement
- Not asking/documenting who is in the room with a patient during a visit or sharing who is in the room with the provider
CMS Telehealth Regulations
The Centers for Medicare and Medicaid Services (CMS) publish final rules annually to establish physician fee schedules, or the services that Medicare will reimburse.
In addition to being aware of the CMS final rules (published on November 1), CMS also made permanent some pandemic-era changes that offer greater access for Medicare beneficiaries related to telehealth services for mental/behavioral health. Many telehealth flexibilities were also extended through December 31, 2024 (as part of the Consolidated Appropriations Act).
- People with Medicare can access telehealth services in any geographic area in the United States, rather than only those in rural areas.
- People with Medicare can stay in their homes for telehealth visits that Medicare pays for, rather than traveling to a healthcare facility.
- Certain telehealth visits can be delivered audio-only (such as a telephone) if someone is unable to use both audio and video, such as a smartphone or computer.
Use the Best Practice Guides for Telehealth Providers by Type from HHS as a resource.
DEA Telehealth Regulations
The Drug Enforcement Administration regulates the prescription of controlled substances via telehealth visits. The DEA has proposed rules for the permanent telehealth flexibilities related to prescribing controlled substances for patients who have not previously been seen in-person.
State Telehealth Regulations
States are mostly following federal regulations, making way for providers to offer more telehealth services to more patients. States can (and do) set additional requirements and have also significantly expanded telehealth options to improve access to healthcare. According to an October 2021 report by the Centers for Connected Health Policy, “no two states are alike in how telemedicine is defined and regulated.” In addition to all of the federal regulations cited in this article, compliance pros should also be familiar with state privacy laws and telemedicine confidentiality requirements. When it comes to credentialing, make sure that you are meeting the state’s guidelines where your patient is receiving care (e.g., reimbursement policies, clinician licensure).
Tips to Effectively Manage Telehealth Compliance
Adding the complexities of telehealth compliance to your already full plate is sure to be a challenge. But there are ways to streamline the process.
- Create reminders to update policies. It’s ideal to have all your documents and policies in an online compliance platform, such as MedTrainer Compliance, so staff can access any time, anywhere. By setting a document expiration date, you will receive automatic reminders to make policy updates. You can also track version history and comments from key stakeholders.
- Keep a copy of state telemedicine regulations with your own telemedicine policies. Providers are more likely to remain compliant if you make it easy. This is especially important if your providers are caring for patients across state lines.
- Conduct a regular Security Risk Assessment. Use the online SRA tool within the MedTrainer platform to conduct annual security risk assessment to ensure your facility and providers are remaining HIPAA-compliant.
- Assign telehealth and HIPAA security training for all staff to complete. MedTrainer Learning offers several HIPAA options including a microlearning course that can be used as a refresher throughout the year.
- Automate recredentialing tasks and requests. Providers must be credentialed in all states where they are providing care, which means multiple recredentialing and enrollment dates and processes to manage. MedTrainer Credentialing Software can help to keep you organized and on track.
About the Author
Brian Williams has extensive healthcare management experience in business development, support staff management, compliance, and regulatory affairs. He leads the development of MedTrainer’s customized compliance products including Emergency and Disaster Preparedness Plans. He has served on the MedTrainer Education and Development Board for the past five years, authored numerous courses, and is responsible for the Custom Course Design Team at MedTrainer.