CMS COVID-19 Telehealth Waiver and Associated Announcements Regarding Cost-Sharing Waivers and HIPAA Enforcement
On March 17, 2020, the U.S. Department of Health and Human Services (“HHS”), Centers for Medicare and Medicaid Services (“CMS”) broadened Medicare coverage of telehealth services on a temporary and emergency basis pursuant to its waiver authority under Section 1135(b) of the Social Security Act. This waiver authority was expanded under the Coronavirus Preparedness and Response Supplemental Appropriations Act (the “Act”), which was signed into law on March 6, 2020. As further discussed below, CMS waived certain telehealth requirements that have long presented a barrier to telehealth services in order to limit community spread of COVID-19 and keep vulnerable beneficiaries with mild symptoms in their homes while maintaining access to needed routine care. This waiver is effective as of March 6, 2020 and will be in place for the duration of the COVID-19 public health emergency. The key features of the telehealth waiver and CMS’s announcement are addressed below.
Telehealth Visit Originating Site
Previous Requirement: A beneficiary receiving telehealth services was previously required to be located at certain distinct “originating sites”, including hospitals, physicians’ offices, and rural health clinics, and such originating sites had to meet certain geographic requirements that essentially limited telehealth access to patients in rural areas.
COVID-19 Telehealth Waiver: Medicare will make payment for professional services furnished to beneficiaries in all areas of the country in all settings, including any healthcare facility and in beneficiaries’ homes. Such coverage is not limited to services to patients with COVID-19.
Telehealth “Interactive Telecommunications System”
Previous Requirement: A telephone was not considered an “interactive telecommunications system” required to provide telehealth services.
COVID-19 Telehealth Waiver: Telephones may be used provided they have audio and video capabilities that are used for two-way, real-time interactive communication.
Other Key Features of CMS’s Telehealth Waiver Announcement
“Established Patient” Enforcement Waiver: The Act stated that the telehealth waiver would only apply to services provided to “established patients” that have been treated by the rendering practitioner or a member of the practitioner’s practice within the last 3 years. HHS stated it is exercising enforcement discretion with respect to this requirement and will not conduct audits to ensure that such a prior relationship existed for telehealth claims submitted during this public health emergency.
Cost-Sharing Waivers: HHS Office of Inspector General (“OIG”) is providing flexibility for healthcare providers to reduce or waive cost-sharing for telehealth visits paid by federal healthcare programs. Specifically, OIG will not subject physicians and other practitioners to OIG administrative sanctions for arrangements that satisfy both of the following conditions:
1. A physician or other practitioner reduces or waives cost-sharing obligations (i.e., coinsurance and deductibles) that a beneficiary may owe for telehealth services furnished consistent with the then-applicable coverage and payment rules; and
2. The telehealth services are furnished during the time period subject to the COVID-19 public health emergency.
HIPAA Enforcement Waiver: Effective immediately, the HHS Office for Civil Rights (“OCR”) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers who provide telehealth to patients during the COVID-19 public health emergency in good faith through any non-public facing remote communication product that is available to communicate with patients (e.g., Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype). This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.