By Adriana Krasniansky
COVID-19 stands to be a watershed moment for telehealth adoption within the U.S. healthcare system.
In response to the COVID-19 pandemic, the Trump administration and the Centers for Medicare & Medicaid Services (CMS) (part of the Department of Health and Human Services, or HHS) announced expanded Medicare telehealth coverage for over 80 health services, to be delivered over video or audio channels. Additionally, the HHS Office for Civil Rights (OCR) announced it would waive potential Health Insurance Portability and Accountability Act (HIPAA) penalties for good faith use of telehealth during the emergency. Both measures are designed to enable patients to receive a wider range of health care services remotely, reducing clinical congestion and limiting transmission of the virus.
In the midst of this emergency situation, health care providers can take measures to consider the ethical and legal aspects of tele-practice as they get started. This article is a short primer to help medical professionals understand telehealth in this moment, navigate regulations and technology practice standards, and choose technologies to support quality patient care.
Telehealth: Overview, Barriers, and COVID-19 Accommodations
Telehealth encompasses health care services, consultations, or data exchanges over digital channels, including phone, video chat, text, and online messaging.
Traditionally, telehealth expansion in the U.S. health care system has been limited by regulatory and educational barriers. However, given the COVID-19 pandemic, many of these barriers have been temporarily suspended and may be forever altered.
A prior regulatory barrier to telehealth related to the medical “necessity” of the services.
Previously, Medicare limited telehealth coverage to patients who presented a clear lack of access to a medical environment — e.g., people in rural communities.
Today, a range of health care providers, including doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, are able to offer telehealth services more broadly and receive Medicare reimbursement. Covered services include telehealth office visits, outpatient visits, and follow-ups, virtual check-ins, and e-visits (completed via a patient portal).
Telehealth also has been limited by barriers related to its digital nature.
HIPAA mandates that all telehealth practices exhibit the following:
1) a minimum threshold of data encryption (usually 256-bit)
2) coverage under a Business Associate Agreement (BAA), which stipulates that patient data collected through the platform is limited to the patient or a HIPAA-covered entity, such as a health care provider or insurer.
However, the OCR’s announcement that it would not pursue “good faith” violations of these HIPAA mandates suggests that providers, whether in a clinical setting or in private practice, will not be fined if they (in good faith) conduct telehealth during the COVID-19 pandemic using platforms that are not properly encrypted or BAA-protected.
Considerations for Health Care Providers
In response to the COVID-19 pandemic and subsequent national announcements, many health care providers are exploring telehealth options. The following considerations are important to keep in mind:
While some large organizations are providing their clinicians with enterprise telehealth platforms, many private practitioners, community clinics, and small health care networks must sort out platform selection for themselves.
Tiffany Chhuom, MPH, MSW, is a clinical social worker and ethics consultant who helps health care providers evaluate telehealth platforms and partners. Following the COVID-19 announcement, she has advised health care leaders on platforms including Vsee, Doxy.Me, Theranest, SimplePractice, Skype, Google Hangouts, Zoom, and Spruce. While some of these platforms are HIPAA-compliant, Chuuom noted, others are not.
Chhuom suggested health care leaders pay special attention to platforms’ messaging. “Language such as ‘HIPAA-friendly’ doesn’t necessarily mean that a platform is HIPAA-compliant,” she told me in a recent phone call. “Many platforms, including Zoom, are only HIPAA-compliant above certain paid tiers. Don’t assume that a basic version has the encryption-level or BAA necessary for this platform to be a long-term telehealth solution.”
Beyond minimum privacy thresholds, it’s important to assess the value-adds of different platforms. For example, Zoom, a market leader, has an integrative partnership with electronic health records provider EPIC to streamline documentation. Spruce offers a higher privacy standard of end-to-end encryption. Other platforms offer automated messaging/reminders for patients, among other benefits.
Another final critical assessment is patients’ access to different telehealth platforms and services. Some patients may not be able to access video-chat services due to poor or nonexistent internet networks or lack of smartphone technology. While the CMS states that providers can “evaluate beneficiaries who have audio phones only,” it is critical for providers to consider which services they can reasonably provide over the phone.
Billing and reimbursement
Providers must also be aware that private insurers may continue to have different requirements for telehealth billing and reimbursement. For example, some insurers may only cover video services, but not online messages or telephone calls.
The COVID-19 pandemic and HHS announcements have been as disruptive to insurers and billers as they have been health care providers, and insurers are updating their guidelines in real time. “There has been a flurry of confusion around reimbursement,” said Chhuon, “Many billers might not even have specialized CPT codes of telehealth.”
While recently issued HHS guidance on telehealth offers some new protections, health care providers must consider telehealth risks beyond OCR fines, including licensing complaints and administrative court actions. Chhuon recommended that providers not rely on templated telehealth consent forms, instead working with a lawyer who has expertise in the space to draft their own, if possible.
Regarding OCR penalties, providers should consider what constitutes a “good faith” reasonable effort to comply with HIPAA telehealth guidelines. While certain HIPAA-compliant platforms (or tiers of service) involve a cost, it is likely manageable for most clinicians ($15-20 monthly). Additionally, providers should not rely on public or open wireless networks to conduct telehealth practices and instead use a private network. Providers who cannot afford the platform tiers or private wireless networks necessary for HIPAA-compliant telemedicine should document their circumstances to illustrate good faith efforts.
Upholding Patient Care
Perhaps the most important consideration for providers is whether they can properly care for patients via telehealth. Regulatory compliance and best practices are just components of upholding patient care — professional competency, bedside manner, and patient-provider relationships are also critical determinants.
First, providers must assess how comfortable they are engaging with their patients over digital interfaces. Providers who are not comfortable administering care should consider how to refer patients to colleagues or networks that can support their health needs. Quality of care may also depend on patients’ physical and mental states. Providers must use their judgment to assess each patient and appointment on a case-by-case basis. In these situations, providers should compare the effect of a telehealth service to postponing an appointment, referring out a patient relationship, or not meeting with the patient at all.
Even after the COVID-19 pandemic, the telehealth pathways and relationships it establishes likely will remain. Thus, while immediacy is key, providers stand to benefit if they consider ethical, legal, and quality of care implications when setting up their telehealth practice today, so that it can continue to be a valuable care channel for the future.