Skip to main content

Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks

GAO-22-104454 Published: Sep 26, 2022. Publicly Released: Sep 26, 2022.
Jump To:

Fast Facts

To help patients access care during the pandemic, Medicare temporarily waived restrictions on telehealth—health care services delivered via phone or video. The use of telehealth services rose tenfold: 53 million telehealth visits in Apr.-Dec. 2020 vs. 5 million during the same period in 2019.

But Medicare hasn't comprehensively assessed the quality of care patients received, and lacks data on telehealth services delivered in patients' homes or via phone. Patients may also be unaware that their private health information could be overheard or inappropriately disclosed during their video appointment.

Our recommendations address these issues.

An older woman having a telehealth visit with medical personnel using a tablet.

Skip to Highlights


What GAO Found

In response to the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily waived certain Medicare restrictions on telehealth—the delivery of some services via audio-only or video technology. Use of telehealth services increased from about 5 million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020). Total utilization of all Medicare services declined by about 14 percent post-waiver due to a 25 percent drop in in-person service use. GAO also found that, post-waiver, telehealth services increased across all provider specialties, and 5 percent of providers delivered over 40 percent of services. Urban providers delivered a greater percentage of their services via telehealth compared to rural providers; office visits and psychotherapy were the most common services.

Telehealth and In-Person Utilization, by Month, April 2019–December 2020

Telehealth and In-Person Utilization, by Month, April 2019–December 2020

The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to monitor some program integrity risks related to the telehealth waivers. However, CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in beneficiaries' homes. This is because there is no billing mechanism for providers to identify all instances of audio-only visits. Moreover, providers are not required to use available codes to identify visits furnished in beneficiaries' homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not comprehensively assessed the quality of telehealth services delivered under the waivers and has no plans to do so, which is inconsistent with CMS' quality strategy. Without an assessment of the quality of telehealth services, CMS may not be able to fully ensure that services lead to improved health outcomes.

In March 2020, HHS's Office for Civil Rights (OCR) announced that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the COVID-19 public health emergency. OCR encouraged covered providers to notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these risks to their patients. Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology.

Why GAO Did This Study

By law, Medicare pays for telehealth services under limited circumstances—such as only in certain (mostly rural) geographic locations. The waivers and other flexibilities that HHS issued in March 2020 (including under its own regulatory authority) have allowed services to be safely delivered and received during the pandemic. There is stakeholder interest in making these changes permanent. GAO and others have noted that extending them may increase spending and pose new risks of fraud, waste, and abuse.

GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients' protected health information during the COVID-19 public health emergency.

GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); reviewed federal statutes, CMS documents (including its assessment of risks posed by telehealth waivers), and OCR guidance; and interviewed agency officials.


GAO is making three recommendations for CMS to strengthen its telehealth oversight, and one for OCR to provide additional direction to providers to explain privacy and security risks to patients. HHS neither agreed nor disagreed with the three CMS recommendations and concurred with the OCR recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services The Administrator of CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits. (Recommendation 1)
Open – Partially Addressed
As of March 2024, this recommendation remains open-partially addressed. In the Calendar Year 2023 Medicare Physician Fee Schedule Final Rule, CMS finalized use of modifiers to track when telehealth services are delivered via audio-only technology. Specifically, effective Jan 1, 2023, providers can append a modifier to claims, as appropriate, to indicate when telehealth services are delivered using audio-only technology. CMS also finalized that (1) all providers are required to use a modifier when billing for eligible mental health services furnished using audio-only technology, and (2) all providers in rural health clinics (RHCs), federally qualified health centers (FQHCs), and opioid treatment programs (OTPs) must append a modifier when delivering allowable telehealth services via audio-only. The additional modifiers partially address our recommendation. However, they still may not capture all utilization of telehealth services delivered via audio-only. Outside of the required modifiers in the Final Rule, providers can, but are not required, to append a modifier to claims to indicate when telehealth services are delivered via audio-only. Further, a modifier would not apply to telehealth services, such as certain office visits, that are not approved for audio-only. In situations where a telehealth office visit begins as a video visit and shifts to audio-only, CMS directed providers during the public health emergency to use the code that best describes the visit, whether it be video or audio-only. Without clarifying its guidance on billing of audio-only office visits, and requiring providers to use a modifier for all telehealth visits delivered via audio-only, CMS still will not be able to fully track utilization of audio-only telehealth services. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Centers for Medicare & Medicaid Services The Administrator of CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. (Recommendation 2)
Closed – Implemented
In the Calendar Year 2023 Medicare Physician Fee Schedule Final Rule, CMS finalized use of two available site of service codes to indicate where telehealth services are delivered. On the 152nd day after the end of the public health emergency, providers will be required to use one of these two codes to indicate whether a telehealth service is delivered in a beneficiary's home or other location, such as an office or clinic. CMS guidance issued in December 2023 (MLN 901705) stated that after Dec. 31, 2023, providers should bill for telehealth services using one of two POS codes-POS 10 for telehealth services delivered to a patient in their home, and POS-02 for telehealth services delivered at an originating site other than a patient's home. We are closing this recommendation based on the final rule and guidance in the MLN document.
Centers for Medicare & Medicaid Services The Administrator of CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency. Such an assessment could include leveraging evidence from related efforts led by other HHS agencies. (Recommendation 3)
In November 2022, CMS said they no longer agree with this recommendation because they do not have a measure to assess quality, and cannot consider developing or re-specifying such a measure due to budget restraints. Further, they have no planned actions for this recommendation. On April 5, 2023, HHS noted that telehealth services are included in CMS clinical quality measures, depending on the measure specification or the topic area that measure covers. HHS also noted that Medicare telehealth services were added to the merit-based incentive payment system (MIPS) measure specifications, where appropriate. However, HHS noted that the specific telehealth services included in each clinical measure vary, and the MIPS data is not reported in a way that enables them to discern a telehealth visit from an in-person visit; thus, HHS is unable to identify performance differences for telehealth services versus in-person services with MIPS data. While we consider HHS efforts to include telehealth services in clinical quality measures to be positive step towards assessing the quality of telehealth services, they do not constitute a comprehensive assessment of telehealth quality. We maintain the importance of assessing the quality of telehealth services given that providers receive the same payment whether or not telehealth services are provided via video or audio-only through the end of the calendar year in which the public health emergency ends. Also, it is important for CMS to study the quality of telehealth services to ensure that services are medically necessary, equitable, and lead to improved health outcomes. As of March 2024, CMS said they continue to non-concur with this recommendation. CMS said they do not have any measures that assesses telehealth quality and cannot consider developing or re-specifying a measure due to budget constraints. Given that many telehealth flexibilities are extended through Dec. 31, 2024, and some services were made permanently available via telehealth, it remains important for CMS to assess the quality of services delivered to Medicare beneficiaries via telehealth. As of December 2023, this recommendation remains open.
HHS Office for Civil Rights OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4)
Closed – Implemented
HHS noted in its agency comments that OCR issued two guidance documents in June 2022 relating to uses of audio-only telehealth consistent with the HIPAA Rules, as well as the privacy and security of health information when using a cell phone or tablet. However, these telehealth guidance documents do not address key components of our recommendation. HHS also noted that OCR plans to develop additional guidance for providers regarding telehealth and will include information to help providers explain privacy and security risks to individuals in plain language. On October 18, 2023, HHS/OCR published two guidance documents to help explain the privacy and security risks when using video telehealth platforms for telehealth services. The first guidance document is a resource for health care providers to help them educate patients on the privacy and security risks to their protected health information when using remote communication technologies for telehealth. The second guidance document is a resource for patients that includes tips for protecting and securing their health information when using video applications or other technologies for telehealth. According to HHS, OCR announced publication of these documents on its listerv. As of November 15, 2023, these documents are available on OCR's website. These published resources may help patients better weigh the risks of and make informed decisions on the use of telehealth technologies.

Full Report

Office of Public Affairs


BeneficiariesHealth careHealth care informationMedicaid servicesMedicareMedicare servicespandemicsPatient carePrivacyQuality of careRisk assessmentSecurity risks