GAO: HHS Must Improve Monitoring of Medicare Telehealth and Assist Providers Communicate Privacy Concerns

The Government Accountability Office (GAO) lately performed an assessment of Medicare telehealth services given over the COVID-19 pandemic. Because a waiver was on hand, access to telehealth and virtual appointments was greatly expanded. The assessment included the use of telehealth services, the way CMS determined and checked risks considering the Medicare waivers, and the way the HHS’ Office for Civil Rights (OCR) modified its implementation of HIPAA compliance with regard to telehealth throughout the COVID-19 public health crisis.

With normal conditions, telehealth services are included in Medicare, however only in restricted instances, for example when patients residing in rural areas don’t get quick access to healthcare services. The growing need for telehealth because of the COVID-19 pandemic found the issuance of waivers by the HHS’ Centers for Medicare and Medicaid Services (CMS) resulted in the expansion of Medicare telehealth services and permitted virtual appointments to be given in a wider selection of situations. OCR also issued a notice of enforcement discretion stating that enforcement actions wouldn’t be carried out against healthcare companies for the honest conduct of telehealth services, regardless if non-public-facing technology was employed that wouldn’t typically be HIPAA compliant.

From April to December 2019, 5 million Medicare telehealth consultations were done. At the same time in 2020, the number went up to 53 million. As per the GAO report, the CMS could not adequately review the quality of care offered to patients by means of telehealth appointments, and there’s concern that patients do not completely know the privacy risks involved, which possibly resulted in the inappropriate disclosure of sensitive health data.

OCR urged covered companies to let patients know about the possible privacy and security issues related to telehealth services; nevertheless, OCR didn’t inform companies about the particular language to utilize when describing those risks nor provide guidance to help companies clarify the risks. Giving such details to companies can help make sure that patients know the possible impact of the privacy and security risks connected with telehealth technology on their protected health information (PHI).

Under standard instances, a healthcare company and a communications platform vendor should sign a business associate agreement; nonetheless, that prerequisite wasn’t implemented throughout the public health crisis. That can possibly raise the risk of disclosing a patient’s PHI without them knowing it. Patients might not know that this change happened because of OCR’s telehealth policy, and the non-protection of their privacy.

GAO discussed in the report that there were complaints filed concerning possible violations of HIPAA Privacy and Security Rule regarding telehealth appointments. Patients filed 5 separate complaints about using technology for telehealth consultations that weren’t HIPAA Security Rule compliant. There were 37 filed privacy complaints about concerns like the presence of third parties in visits and cases where companies disclosed PHI without getting patient permission.

GAO has suggested that OCR give more education and outreach to enable companies to clarify the privacy and security threats to patients linked to telehealth to ensure that those threats are completely understood. GAO highlighted the importance of giving patients quick-to-understand data to enable them to thoroughly examine the risks to their personal data and enhanced communication regarding the privacy policies and HIPAA compliance of telehealth vendors to help patients to better comprehend the privacy threats.

OCR agreed with the suggestions and stated it will be giving more guidance to healthcare companies concerning the offer of telehealth services, which includes the guide to make clear the privacy and security threats to patients in simple language.

GAO discovered there was incomplete information on audio-only and video telehealth appointments done from April to December 2020. This was confirmed to be because of the insufficiency of correct billing codes employed by insurance providers to monitor telehealth and virtual consultations and to determine when telehealth services were provided to beneficiaries in their residences.

GAO advised the CMS to create an extra billing modifier to permit the appropriate monitoring of audio-only office appointments, to require companies to utilize service codes that show when Medicare telehealth services are given to beneficiaries in their residences, and for the CMS Administrator to thoroughly evaluate the quality of Medicare services, which include audio-only services, sent utilizing telehealth throughout the public health crisis.