The Government Accountability Office (GAO) recently released a report urging more oversight of HIPAA regulations and CME telehealth. The uptake of telehealth technologies has increased the risk of telehealth fraud, waste, and abuse. The GAO investigation was focused on urging the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) to take steps to mitigate these risks. The OCR has an office in HHS and is responsible for protecting US citizens from discrimination and several other health-related agendas, including the enforcement of HIPAA.
Telehealth services increased dramatically with the waivers provided during the pandemic to improve the accessibility of patient care virtual visits using video, audio-only, and other telecommunication technologies. Now that the threat of the COVID pandemic is subsiding, the Department of Health and Human Services (HHS) is casting a wide net to tighten security measures related to telehealth under the HHS roof, which includes OCR and CMS.
GAO Recommendations for OCR
In March 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that healthcare providers would no longer face fines if they did not comply with telehealth services’ privacy and security requirements over the good faith provision. In addition, that notice did not advise providers to communicate privacy and security risks to their patients in a precise way. “Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology,” explained GAO in the report.
The concern is that many providers currently operate under improper security procedures, which could pose a significant danger to patients. Particularly when cybersecurity is a grave issue, practitioners and their organizations should expect that HIPAA enforcement will be increased subsequent to this GOA report. Professional training is appropriate for providers who are unclear about their post-COVID HIPAA mandates.
GAO Recommendations for CMS
Concerning CMS telehealth, the GAO found privacy and security risks associated with Medicare, including issues such as the unauthorized disclosure of medical records.
The GAO report discusses, among other issues, the following:
- CMS lacks complete data on CME telehealth visits.
- The GAO found “insufficient data” about audio-only and video telehealth visits.
- The absence or non-use of mechanisms such as billing and availability codes, which are essential for identifying all occurrences of audio-only visits, contributed to data insufficiency.
They also commented that CMS has no plans to conduct a complete evaluation of the quality of waiver-related telehealth services due to concerns about patients’ sensitive health information being improperly disclosed in the process.
GAO Recommendations for CMS Telehealth Agencies
For organizations seeking to implement in-house solutions to CME telehealth, the GAO recommends the following:
- Develop an additional billing modifier to allow complete and accurate billing of audio-only visits.
- Require providers to use service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
- The administrator of CMS programs comprehensively assesses the quality of Medicare services, including audio-only services, delivered using telehealth during a public health emergency.
- Moreover, GAO recommends that OCR provide additional direction to providers to explain patient privacy and security risks so that providers can explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.