Federal Agencies Relax Rules to Encourage Telehealth Services
Telehealth services have become more widely used in recent months. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services recently announced that it won’t impose certain penalties against health care providers using telehealth communications in good faith during the novel coronavirus (COVID-19) crisis. The penalties would normally be assessed under the Health Insurance Portability and Accountability Act (HIPAA).
Separately, the OCR has waived certain provisions of the HIPAA privacy rule for covered hospitals and summarized existing HIPAA use and disclosure rules applicable to all covered entities in emergency situations.
In guidance, the OCR explains that this enforcement relief applies to any services that covered health care providers, in their professional judgment, believe can be delivered through telehealth during the COVID-19 emergency. These services include diagnosis or treatment of both COVID-19-related conditions, such as taking a patient’s temperature or other vitals remotely, and unrelated conditions — such as review of physical therapy practices, mental health counseling or adjustment of prescriptions.
Providers aren’t considered to be delivering telehealth services in good faith if, for example, they:
- Further use or disclose protected health information transmitted during a telehealth communication in ways prohibited by the HIPAA privacy rule,
- Violate state licensing laws or professional ethical standards relating to telehealth treatments, or
- Use public-facing remote communication products such as TikTok, Facebook Live or other products designed to allow wide or indiscriminate access.
Conversely, while not endorsing any particular product, the OCR notes that providers may satisfy the good faith standard by using non-public-facing remote communication products such as Apple FaceTime, Facebook Messenger video chat, certain texting applications and other products that allow only the intended parties to participate in the communication.
The OCR observes that the acceptable products typically:
- Employ end-to-end encryption,
- Support individual user accounts, logins and passwords, and
- Allow users to assert control over features such as recording or muting the communication and turning off the video or audio signal.
Although the OCR’s enforcement relief doesn’t apply to health insurers (or, by implication, to self-insured health plans), the Centers for Medicare and Medicaid Services (CMS) has issued separate guidance encouraging insurers to promote the use of telehealth services. The agency gives examples such as:
- Notifying policyholders and beneficiaries of their availability,
- Ensuring access to a robust suite of telehealth services (including mental health and substance use disorder services), and
- Covering telehealth services without cost-sharing or other medical management requirements.
As an exception to the general prohibition on midyear coverage modifications, the CMS further announced that it won’t take enforcement action against health insurers that amend group or individual products midyear to provide greater coverage for telehealth services or to reduce or eliminate cost-sharing requirements for telehealth services. This will hold true even if the telehealth services covered by the change aren’t related to COVID-19.
The CMS intends to continue to take enforcement action against health insurers that attempt to limit or eliminate other benefits to offset the costs of more generous telehealth benefits. The agency’s guidance doesn’t apply to self-insured ERISA plans, which are under the jurisdiction of the U.S. Department of Labor and aren’t subject to the ban on midyear modifications.
Other compliance issues
In addition to bringing up HIPAA privacy and security considerations, telehealth raises compliance issues under other federal and state laws. The CMS has encouraged states to consider relaxing state laws to support efforts by insurers (and, by extension, all health plans) to increase access to telehealth services.
Health care plans also face many issues when incorporating telehealth into their covered benefits, including HIPAA business associate contracts and the impact of telehealth on eligibility for Health Savings Accounts (an issue that’s on the regulators’ radar).
Employers adjusting to increased numbers of remote workers may be interested in establishing or expanding telehealth capabilities under their health care plans. Setting up a compliant telehealth program requires substantial expertise and, while these agency actions are welcome, they represent small pieces in the complex equation of how to provide health care — and administer benefits — during a global pandemic.