HHS Lessens Restrictions on Telehealth Services During COVID-19 Outbreak
We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities. – Roger Severino, OCR Director.
Holding true to this statement, on March 17, 2020, two separate divisions of the U.S. Department of Health & Human Services (“HHS”) issued notices that further enable healthcare providers to treat their patients through remote technologies that are readily available, rather than through traditional telehealth means.
In its first pronouncement, HHS’s Office of Inspector General (“OIG”) issued a Policy Statement and related Telehealth Fact Sheet regarding the routine waiver of beneficiaries' cost-sharing obligations for telehealth services. In a March 9, 2020 Client Alert, we summarized the federal government’s emergency legislation that expanded the ability of providers to render telehealth services to their patients during the Coronavirus Outbreak. The new OIG’s Policy Statement complements the recently-enacted Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020 by suspending enforcement of the penalty provisions related to routine waivers of co-pays under the Civil Monetary Penalty Law and the Anti-Kickback Statute.
Under normal circumstances, providers are prohibited from routinely waving a federal program beneficiary’s cost-sharing obligation absent a genuine and documented hardship. The OIG’s Policy Statement will allow beneficiaries to obtain telehealth services rather than going to their provider’s office during the COVID-19 outbreak without worrying about his/her cost-sharing obligations. For providers, this will allow them to provide telehealth services without having to collect the co-pay without fear of an enforcement action. The services, however, must be rendered during the time period set forth in Secretary Azar’s January 31, 2020 Determination that a Public Health Emergency Exists (“COVID-19 Declaration”). Providers are also cautioned that they must adhere to any other applicable payment and coverage rules imposed by the Centers for Medicare & Medicaid Services (“CMS”), as well as any other Federal, State or local laws and regulations in effect at the time.
HHS’s second announcement came from its Office of Civil Rights (“OCR”), which is responsible for enforcing the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related laws and regulations to protect the privacy and security of individuals’ protected health information. OCR issued a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency (“Notification”), which permits covered healthcare providers to use available non-public facing remote communication products to render telehealth services to their patients without fear of an enforcement action. Notably, the relaxed enforcement is applicable to any telehealth service related to the diagnosis and treatment of a health condition, not just to those related to COVID-19. While healthcare providers still must meet good-faith standards in using the technology, OCR has indicated that healthcare providers can use popular applications that permit video chatting, including Apple Face Time, Google Hangouts, Facebook Messenger video chat, and Skype. The Notification precludes, however, some other popular applications that are public-facing, including Facebook Live, Tik Tok and Twitch. Providers must also discuss with their patients the potential privacy risks involved in using third-party applications and make every effort to enable all available privacy modes (i.e., encryption). While not endorsing any third-party vendors, OCR recommended covered providers use third-party vendors that are HIPAA-compliant and accept BAAs, specifically identifying Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet. Whether a healthcare provider uses one of the HIPAA-compliant vendors or even enters into a BAA with a vendor, under the Notification OCR will not impose penalties for noncompliance with HIPAA Rules where a provider acts in good faith while providing telehealth services during the COVID-19 National Emergency.
For more information on HHS’s telehealth changes and any other laws, regulations, and proclamations related to COVID-19, contact your Butzel Long attorney or visit Butzel Long’s COVID-19 Resource Center.
Debra Geroux, CHC, CHPC
Mark R. Lezotte
Robert H. Schwartz