Back to the Future for Telehealth: Refocusing on Security and Quality | Holland & Knight LLP


Telehealth has been around for decades, but restrictive reimbursement rules kept it out of widespread use for many treatment needs. Then along came the COVID-19 pandemic and everything changed rapidly. Suddenly, due to the public health emergency, telemedicine was made available to most everyone with internet access.

In March 2020, at the start of the pandemic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), relaxed data security policies temporarily to enable broader use of telehealth platforms without all of HIPAA’s protections in place. An OCR notification made it clear that healthcare providers could use “any non-public facing remote communication product that is available to communicate with patients.” At the same time, health plans began paying for telehealth, states relaxed licensure requirements, and providers worked quickly to implement telehealth in their practices so that they could continue providing services to patients.

With the end of the pandemic in sight, the federal government has signaled that regulatory compliance for telehealth is returning quickly, and it is time to think once again about privacy, security and quality when it comes to delivering care via telemedicine. Importantly, on Sept. 26, 2022, the U.S. Government Accountability Office (GAO) released GAO-22-104454, titled “Medicare Telehealth: Actions Need to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The GAO report notes that in 2020, the “use of telehealth services rose tenfold,” with 53 million telehealth visits during the last three quarters of 2020. The same period in 2019 had only 5 million telehealth visits. There was a 25 percent drop in in-person services. Mental health and behavioral health providers “delivered around half of their services via telehealth in each month between April 2020 and December 2020,” according to the GAO report.

Recommendations

GAO’s report makes three recommendations to CMS and one to OCR. For CMS, the GAO recommends the following:

  1. To enable tracking of audio-only office visits, CMS should clarify guidance regarding billing of these visits or develop an additional billing modifier.
  2. For in-home services delivered via telehealth, CMS should require providers to use available site of service codes.
  3. CMS should conduct a comprehensive assessment of the quality of Medicare services delivered using telehealth during the public health emergency.

GAO recommended that OCR “provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.”

Improvements Needed

On Sept. 7, 2022, the HHS Office of Inspector General (OIG) released an audit report relating to its review of the Indian Health Service (IHS) and its use of telehealth technologies, which may prove to be useful guidance for telehealth providers generally. OIG’s goal was to determine whether IHS implemented certain security controls to protect its telehealth system. OIG concluded that IHS’s telehealth system had room for improvement with respect to cybersecurity. Specifically, IHS rolled out its national telehealth system during the pandemic without completing “select IT controls,” including a contingency plan, risk assessment, system security plan and a finalized authorization to operate (ATO). IHS’s position was that it “did not have a strategy for completing the requirements to implement and authorize a new information system to operate in an expedited fashion to meet an urgent, mission-critical need.” OIG had two recommendations for IHS:

  • IHS should develop a strategy to address certain minimum controls that must be in place when expeditiously deploying a new information system necessary to meet an urgent, mission-critical need. The strategy “should include an acceptance of risk for not implementing all required controls, specify a date by which the remaining controls will be implemented and tested, and be replaced with a new authorization to operate once all required controls have been addressed.”
  • IHS should make sure adequate policies, procedures and training are implemented to remediate known telehealth vulnerabilities in a timely manner.

Conclusion

Now that the telehealth toothpaste is out of the tube, it will be hard to expect patients to go back to traditional bricks-and-mortar care in every situation. For providers that want to continue to deliver services remotely, now is the time to review current practices to ensure HIPAA compliance and security controls are in place. Providers should also confirm that telehealth delivery models are effective in providing quality care.