What to expect now that we’re expecting: What the end of the public health emergency means for healthcare providers Part 2: Guidance on telehealth

I. Introduction

On January 30, 2023, the Biden Administration announced its plan to end the COVID-19 Public Health Emergency (PHE) on May 11, 2023. As discussed here, the PHE declarations have allowed the federal government to waive and modify certain Medicare, Medicaid, and Children’s Health Insurance program requirements and provide liability immunity to providers to administer services. With the termination of the PHE in May, some of the changes implemented during the COVID-19 pandemic are set to expire while others have been extended or made permanent. This article focuses on changes related to telehealth.

II. Medicare and Telehealth

During the COVID-19 pandemic, the U.S. Department of Health and Human Services (HHS) implemented many administrative changes to allow more flexibilities for the use of telehealth. Many of these flexibilities were set to expire with the end of the PHE. However, the Consolidated Appropriations Act of 2023 extended many of the Medicare telehealth flexibilities authorized during the COVID-19 PHE beyond the end of the PHE. Below are a list of Medicare changes related to telehealth that have been made permanent and a list of temporary changes extended by the Consolidated Appropriations Act of 2023.

Permanent Medicare changes¹

• Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) can serve as a distant site² provider for behavioral/mental telehealth services.
• Medicare patients can receive telehealth services for behavioral/mental health care in their home.
• There are no geographic restrictions³ for originating site for behavioral/mental telehealth services.
• Behavioral/mental telehealth services can be delivered using audio-only communication platforms.
• Rural hospital emergency departments are accepted as an originating site.

Temporary Medicare changes through December 31, 2024⁴

• FQHCs and RHCs can serve as a distant site provider for non-behavioral/mental telehealth services.
• Medicare patients can receive telehealth services authorized in the Calendar Year 2023 Medicare Physician Fee Schedule in their home.
• There are no geographic restrictions for originating site for non-behavioral/mental telehealth services.
• Some non-behavioral/mental telehealth services can be delivered using audio-only communication platforms.
• An in-person visit within six months of an initial behavioral/mental telehealth service, and annually thereafter, is not required.
• Patients with High Deductible Health Plans coupled with Health Savings Accounts can utilize first dollar coverage for telehealth services without first having to meet their minimum deductible.
• Telehealth services can be provided by a physical therapist, occupational therapist, speech-language pathologist, or audiologist.

III. Medicaid and Telehealth

States have broad authority to cover telehealth services under Medicaid without approval from Centers for Medicare & Medicaid Services (CMS). To limit patients’ exposure to COVID-19 and increase access to health care during the pandemic, all 50 states and D.C. expanded telehealth coverage under state Medicaid programs. These telehealth expansions resulted in an increased usage of telemedicine and access to health care during the pandemic. Consequently, many states have or plan to adopt permanent Medicaid telehealth expansions that will remain effective even after the termination of PHE.

On October 19, 2020, the temporary expansion of telehealth services in the Ohio Medicaid program became permanent.⁵ In other words, the termination of the PHE will not impact Ohio Medicaid’s changes made to telehealth services. Under Ohio Administrative Code §5160-1-18, changes to telehealth services in the Medicaid program include:

• Expanding the definition of telehealth to include telephone calls, remote patient monitoring and other electronic communication that does not have both audio and video elements;
• Expanding the types of practitioners who are eligible to provide telehealth services, including home health and hospice aides, behavioral health practitioners, Medicaid school program providers, optometrists, dentists, dietitians, and physical and occupational therapists;
• Fewer restrictions on patient and practitioner site locations; and
• Expanding the types of telehealth services that may be paid for by Medicaid, including virtual check-in by a physician or other qualified health care professional who can report evaluation and management services, online digital evaluation and management services, remote patient monitoring, physical therapy, occupational therapy, audiology, speech-language therapy and additional behavioral health services.

IV. HIPAA and Telehealth

During the COVID-19 PHE, the HHS Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion (the “Enforcement Discretion”) to allow covered health care providers to use communication applications without the risk of penalties imposed for violations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules for the good faith provision of telehealth services. Under the Enforcement Discretion, covered health care providers may use popular video chat applications and text-based applications to deliver telehealth as long as they are “non-public facing.”⁶ Additionally, health care providers that prefer additional privacy protections should use technology vendors that are HIPAA-compliant and enter into a HIPAA business associate agreement (BAA) in connection with the provision of their video communication products. Examples of vendors who indicate they are HIPAA-compliant include Skype for Business, Zoom for Health care, Spruce Health Care Messenger or Amazon Chime.

With the termination of PHE on May 11, 2023, the Enforcement Discretion is set to expire. This expiration means that covered health care providers must use HIPAA-compliant telehealth vendors when offering telehealth services to patients. As for audio-only telehealth services, OCR has issued the following guidance related to the requirements of HIPAA rules. Under this guidance, the HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, but the Security Rule does apply to certain electronic communication technologies such as Voice over Internet Protocol and mobile technologies that use electronic media. With respect to virtual telehealth, health care providers should use only HIPAA-compliant telehealth applications and enter into BAAs with those qualifying vendors as indicated in the Enforcement Discretion.