Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks
To help patients access care during the pandemic, Medicare temporarily waived restrictions on telehealth—health care services delivered via phone or video. The use of telehealth services rose tenfold: 53 million telehealth visits in Apr.-Dec. 2020 vs. 5 million during the same period in 2019.
But Medicare hasn't comprehensively assessed the quality of care patients received, and lacks data on telehealth services delivered in patients' homes or via phone. Patients may also be unaware that their private health information could be overheard or inappropriately disclosed during their video appointment.
Our recommendations address these issues.
What GAO Found
In response to the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily waived certain Medicare restrictions on telehealth—the delivery of some services via audio-only or video technology. Use of telehealth services increased from about 5 million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020). Total utilization of all Medicare services declined by about 14 percent post-waiver due to a 25 percent drop in in-person service use. GAO also found that, post-waiver, telehealth services increased across all provider specialties, and 5 percent of providers delivered over 40 percent of services. Urban providers delivered a greater percentage of their services via telehealth compared to rural providers; office visits and psychotherapy were the most common services.
Telehealth and In-Person Utilization, by Month, April 2019–December 2020
The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to monitor some program integrity risks related to the telehealth waivers. However, CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in beneficiaries' homes. This is because there is no billing mechanism for providers to identify all instances of audio-only visits. Moreover, providers are not required to use available codes to identify visits furnished in beneficiaries' homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not comprehensively assessed the quality of telehealth services delivered under the waivers and has no plans to do so, which is inconsistent with CMS' quality strategy. Without an assessment of the quality of telehealth services, CMS may not be able to fully ensure that services lead to improved health outcomes.
In March 2020, HHS's Office for Civil Rights (OCR) announced that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the COVID-19 public health emergency. OCR encouraged covered providers to notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these risks to their patients. Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology.
Why GAO Did This Study
By law, Medicare pays for telehealth services under limited circumstances—such as only in certain (mostly rural) geographic locations. The waivers and other flexibilities that HHS issued in March 2020 (including under its own regulatory authority) have allowed services to be safely delivered and received during the pandemic. There is stakeholder interest in making these changes permanent. GAO and others have noted that extending them may increase spending and pose new risks of fraud, waste, and abuse.
GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients' protected health information during the COVID-19 public health emergency.
GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); reviewed federal statutes, CMS documents (including its assessment of risks posed by telehealth waivers), and OCR guidance; and interviewed agency officials.
GAO is making three recommendations for CMS to strengthen its telehealth oversight, and one for OCR to provide additional direction to providers to explain privacy and security risks to patients. HHS neither agreed nor disagreed with the three CMS recommendations and concurred with the OCR recommendation.
Recommendations for Executive Action
|Centers for Medicare & Medicaid Services||The Administrator of CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits. (Recommendation 1)||
As of April 5, 2023, this recommendation remains open-partially addressed. In the Calendar Year 2023 Medicare Physician Fee Schedule Final Rule, CMS finalized use of modifiers to track when telehealth services are delivered via audio-only technology. Specifically, effective Jan 1, 2023, providers can append a modifier to claims, as appropriate, to indicate when telehealth services are delivered using audio-only technology. CMS also finalized that (1) all providers are required to use a modifier when billing for eligible mental health services furnished using audio-only technology, and (2) all providers in rural health clinics (RHCs), federally qualified health centers (FQHCs), and opioid treatment programs (OTPs) must append a modifier when delivering allowable telehealth services via audio-only. The additional modifiers partially address our recommendation. However, they still may not capture all utilization of telehealth services delivered via audio-only. Outside of the required modifiers in the Final Rule, providers can, but are not required, to append a modifier to claims to indicate when telehealth services are delivered via audio-only. Further, a modifier would not apply to telehealth services, such as certain office visits, that are not approved for audio-only. In situations where a telehealth office visit begins as a video visit and shifts to audio-only, CMS directed providers during the public health emergency to use the code that best describes the visit, whether it be video or audio-only. Without clarifying its guidance on billing of audio-only office visits, and requiring providers to use a modifier for all telehealth visits delivered via audio-only, CMS still will not be able to fully track utilization of audio-only telehealth services.
|Centers for Medicare & Medicaid Services||The Administrator of CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. (Recommendation 2)||
As of April 5, 2023, this recommendation remains open-partially addressed. In the Calendar Year 2023 Medicare Physician Fee Schedule Final Rule, CMS finalized use of two available site of service codes to indicate where telehealth services are delivered. On the 152nd day after the end of the public health emergency, providers will be required to use one of these two codes to indicate whether a telehealth service is delivered in a beneficiary's home or other location, such as an office or clinic. These required site of service codes partially address our recommendation. We will close this recommendation once CMS implements these codes after the public health emergency and 151-day extension ends.
|Centers for Medicare & Medicaid Services||The Administrator of CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency. Such an assessment could include leveraging evidence from related efforts led by other HHS agencies. (Recommendation 3)||
In November 2022, CMS said they no longer agree with this recommendation because they do not have a measure to assess quality, and cannot consider developing or re-specifying such a measure due to budget restraints. Further, they have no planned actions for this recommendation. On April 5, 2023, HHS noted that telehealth services are included in CMS clinical quality measures, depending on the measure specification or the topic area that measure covers. HHS also noted that Medicare telehealth services were added to the merit-based incentive payment system (MIPS) measure specifications, where appropriate. However, HHS noted that the specific telehealth services included in each clinical measure vary, and the MIPS data is not reported in a way that enables them to discern a telehealth visit from an in-person visit; thus, HHS is unable to identify performance differences for telehealth services versus in-person services with MIPS data. While we consider HHS efforts to include telehealth services in clinical quality measures to be positive step towards assessing the quality of telehealth services, they do not constitute a comprehensive assessment of telehealth quality. We maintain the importance of assessing the quality of telehealth services given that providers receive the same payment whether or not telehealth services are provided via video or audio-only through the end of the calendar year in which the public health emergency ends. Also, it is important for CMS to study the quality of telehealth services to ensure that services are medically necessary, equitable, and lead to improved health outcomes.
|HHS Office for Civil Rights||OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4)||
HHS noted in its agency comments that OCR issued two guidance documents in June 2022 relating to uses of audio-only telehealth consistent with the HIPAA Rules, as well as the privacy and security of health information when using a cell phone or tablet. However, these telehealth guidance documents do not address key components of our recommendation. HHS also noted that OCR plans to develop additional guidance for providers regarding telehealth and will include information to help providers explain privacy and security risks to individuals in plain language. On April 5, 2023, HHS noted that OCR is developing draft guidance to help providers explain the privacy and security risks to patients in plain language when using remote communication technologies, including video telehealth platforms, to provide telehealth. OCR anticipates publishing the guidance later in 2023. Given the extension of many telehealth waivers to December 31, 2024, we maintain the importance of providing guidance to providers to help them educate patients on privacy and security risks when using video platforms for telehealth services.