CME telehealth, HIPAA enforcement

Post-COVID Recommendations for HIPAA Enforcement & CMS Telehealth: Government Accountability Office


October 4, 2022 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Government Accountability Office (GAO) recently released a report urging more oversight of HIPAA regulations and CME telehealth. The uptake of telehealth technologies has increased the risk of telehealth fraud, waste, and abuse. The GAO investigation was focused on urging the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) to take steps to mitigate these risks. The OCR has an office in HHS and is responsible for protecting US citizens from discrimination and several other health-related agendas, including the enforcement of HIPAA.

Telehealth services increased dramatically with the waivers provided during the pandemic to improve the accessibility of patient care virtual visits using video, audio-only, and other telecommunication technologies. Now that the threat of the COVID pandemic is subsiding, the Department of Health and Human Services (HHS) is casting a wide net to tighten security measures related to telehealth under the HHS roof, which includes OCR and CMS.

GAO Recommendations for OCR

In March 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that healthcare providers would no longer face fines if they did not comply with telehealth services’ privacy and security requirements over the good faith provision. In addition, that notice did not advise providers to communicate privacy and security risks to their patients in a precise way. “Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology,” explained GAO in the report.

The concern is that many providers currently operate under improper security procedures, which could pose a significant danger to patients. Particularly when cybersecurity is a grave issue, practitioners and their organizations should expect that HIPAA enforcement will be increased subsequent to this GOA report. Professional training is appropriate for providers who are unclear about their post-COVID HIPAA mandates.

GAO Recommendations for CMS

Concerning CMS telehealth, the GAO found privacy and security risks associated with Medicare, including issues such as the unauthorized disclosure of medical records. 

The GAO report discusses, among other issues, the following:

  • CMS lacks complete data on CME telehealth visits.
  • The GAO found “insufficient data” about audio-only and video telehealth visits. 
  • The absence or non-use of mechanisms such as billing and availability codes, which are essential for identifying all occurrences of audio-only visits, contributed to data insufficiency. 

They also commented that CMS has no plans to conduct a complete evaluation of the quality of waiver-related telehealth services due to concerns about patients’ sensitive health information being improperly disclosed in the process.

GAO Recommendations for CMS Telehealth Agencies 

For organizations seeking to implement in-house solutions to CME telehealth, the GAO recommends the following:

  • Develop an additional billing modifier to allow complete and accurate billing of audio-only visits. 
  • Require providers to use service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • The administrator of CMS programs comprehensively assesses the quality of Medicare services, including audio-only services, delivered using telehealth during a public health emergency.
  • Moreover, GAO recommends that OCR provide additional direction to providers to explain patient privacy and security risks so that providers can explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.
Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...