Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks

GAO-22-104454 Published: Sep 26, 2022. Publicly Released: Sep 26, 2022.
Jump To:
Fast Facts

To help patients access care during the pandemic, Medicare temporarily waived restrictions on telehealth—health care services delivered via phone or video. The use of telehealth services rose tenfold: 53 million telehealth visits in Apr.-Dec. 2020 vs. 5 million during the same period in 2019.

But Medicare hasn't comprehensively assessed the quality of care patients received, and lacks data on telehealth services delivered in patients' homes or via phone. Patients may also be unaware that their private health information could be overheard or inappropriately disclosed during their video appointment.

Our recommendations address these issues.

An older woman having a telehealth visit with medical personnel using a tablet.

Skip to Highlights

What GAO Found

In response to the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily waived certain Medicare restrictions on telehealth—the delivery of some services via audio-only or video technology. Use of telehealth services increased from about 5 million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020). Total utilization of all Medicare services declined by about 14 percent post-waiver due to a 25 percent drop in in-person service use. GAO also found that, post-waiver, telehealth services increased across all provider specialties, and 5 percent of providers delivered over 40 percent of services. Urban providers delivered a greater percentage of their services via telehealth compared to rural providers; office visits and psychotherapy were the most common services.

Telehealth and In-Person Utilization, by Month, April 2019–December 2020

Telehealth and In-Person Utilization, by Month, April 2019–December 2020

The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to monitor some program integrity risks related to the telehealth waivers. However, CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in beneficiaries' homes. This is because there is no billing mechanism for providers to identify all instances of audio-only visits. Moreover, providers are not required to use available codes to identify visits furnished in beneficiaries' homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not comprehensively assessed the quality of telehealth services delivered under the waivers and has no plans to do so, which is inconsistent with CMS' quality strategy. Without an assessment of the quality of telehealth services, CMS may not be able to fully ensure that services lead to improved health outcomes.

In March 2020, HHS's Office for Civil Rights (OCR) announced that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the COVID-19 public health emergency. OCR encouraged covered providers to notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these risks to their patients. Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology.

Why GAO Did This Study

By law, Medicare pays for telehealth services under limited circumstances—such as only in certain (mostly rural) geographic locations. The waivers and other flexibilities that HHS issued in March 2020 (including under its own regulatory authority) have allowed services to be safely delivered and received during the pandemic. There is stakeholder interest in making these changes permanent. GAO and others have noted that extending them may increase spending and pose new risks of fraud, waste, and abuse.

GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients' protected health information during the COVID-19 public health emergency.

GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); reviewed federal statutes, CMS documents (including its assessment of risks posed by telehealth waivers), and OCR guidance; and interviewed agency officials.

Skip to Recommendations


GAO is making three recommendations for CMS to strengthen its telehealth oversight, and one for OCR to provide additional direction to providers to explain privacy and security risks to patients. HHS neither agreed nor disagreed with the three CMS recommendations and concurred with the OCR recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services The Administrator of CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits. (Recommendation 1)
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Centers for Medicare & Medicaid Services The Administrator of CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. (Recommendation 2)
Open – Partially Addressed
In the Calendar Year 2023 Medicare Physician Fee Schedule Final Rule, CMS finalized use of two available site of service codes to indicate where telehealth services are delivered. On the 152nd day after the end of the public health emergency, providers will be required to use one of these two codes to indicate whether a telehealth service is delivered in a beneficiary's home or other location, such as an office or clinic. These required site of service codes partially address our recommendation. We will close this recommendation once CMS implements these codes after the public health emergency and 151-day extension ends.
Centers for Medicare & Medicaid Services The Administrator of CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency. Such an assessment could include leveraging evidence from related efforts led by other HHS agencies. (Recommendation 3)
In November 2022, CMS said they no longer agree with this recommendation because they do not have a measure to assess quality, and cannot consider developing or re-specifying such a measure due to budget restraints. Further, they have no planned actions for this recommendation. We maintain the importance of assessing the quality of telehealth services given that providers receive the same payment whether or not telehealth services are provided via video or audio-only during the public health emergency. Also, it is important for CMS to study the quality of telehealth services to ensure that services are medically necessary, equitable, and lead to improved health outcomes.
HHS Office for Civil Rights OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4)
HHS noted in its agency comments that OCR issued two guidance documents in June 2022 relating to uses of audio-only telehealth consistent with the HIPAA Rules, as well as the privacy and security of health information when using a cell phone or tablet. However, these telehealth guidance documents do not address key components of our recommendation. HHS also noted that OCR plans to develop additional guidance for providers regarding telehealth and will include information to help providers explain privacy and security risks to individuals in plain language. Given the extension of many telehealth waivers to December 31, 2024, we maintain the importance of providing guidance to providers to help them educate patients on privacy and security risks when using video platforms for telehealth services.

Full Report

GAO Contacts