Skip to main content
March 20, 2020

Expanding Telehealth Services to Fight COVID-19

Coronavirus: Life Sciences and Healthcare Regulatory Advisory

To help our clients navigate the coronavirus (COVID-19) crisis, Arnold & Porter has established a Coronavirus Task Force covering a wide range of issues and challenges. Subscribe to our "Coronavirus (COVID-19)" mailing list to receive our latest client Advisories and register for upcoming webinars.


Despite early high expectations for the role telehealth would play in the US health care delivery system, utilization of telehealth services has--until recently--been relatively modest. The COVID-19 crisis, however, is putting telehealth to the test, and patients and providers are endorsing its use in overwhelming numbers.1 Changes in federal and state regulations in response to the pandemic are expanding access to remote care for beneficiaries of Medicare and Medicaid and there is a scramble to meet the demand. Health care suppliers and providers with existing telehealth networks are desperately trying to increase the volume of patients they can serve, and new entrants into this space are moving fast to establish remote patient care and diagnostic services.

This Advisory summarizes important recent changes in the telehealth landscape and reviews some key regulatory and transactional issues to consider before designing a new telehealth service line. Our team is closely monitoring legislative and regulatory developments, and we are available to answer additional questions that may arise from these new developments.

This Advisory is organized into four short sections:

I:    Expanded Coverage for Telehealth Services »

II:   Relaxed HIPAA Regulatory Enforcement »

III:  Key Regulatory and Enforcement Considerations »

IV:  Transactional Considerations »

I. Expanded Coverage for Telehealth Services

A. Medicare

On January 31, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS), Alex Azar, declared a national public health emergency2 (effective January 27, 2020) in response to the COVID-19 outbreak (COVID-19 Public Health Emergency Declaration).3 Subsequently, on March 6, 2020, President Trump signed the Coronavirus Preparedness and Response Supplemental Appropriations Act (CPRSAA)4 into law, which, among other things, amended Section 1135 of the Social Security Act (SSA)5 to grant additional authority to the Secretary of HHS (Secretary) to waive certain Medicare and Medicaid program requirements (§ 1135 Waiver Authority) in the event of a national emergency, including public health emergencies as declared by the Secretary. On March 17, 2020, the Centers for Medicare and Medicaid Services (CMS) followed with guidance concerning the implementation of a waiver by the Secretary of certain requirements for Medicare coverage of telehealth services.6

CPRSAA's new waiver authorizes the Secretary to waive the Medicare "originating site" requirement, allowing the delivery of telehealth services to beneficiaries in their homes and outside of an HPSA area. CPRSAA also authorizes the Secretary to waive restrictions on the use of a telephone to deliver telehealth, as long as the telephone has audio and video capabilities that are used for two-way, real-time interactive communication (e.g., a smartphone). This new waiver authority is effective from March 6, 2020, until the date on which the COVID-19 Public Health Emergency Declaration expires.7 Several offices and operating divisions of HHS have also announced they will exercise enforcement discretion relating to certain otherwise applicable requirements to facilitate use of telehealth during the COVID-19 Public Health Emergency.

The table below compares pre-waiver Medicare coverage and payment policies for telehealth services, Virtual Check-In encounters and E-visits and the changes to each type of service made through the new waiver authority:8

  Prior Policy9  What Changed?
Medicare Telehealth Visits Medicare covers certain telehealth services specified by CPT codes (e.g., home and office visits, mental health counseling, and preventive health screenings).10
No change in services recovered.
  Sites originating a telehealth encounter must be in a designated rural area and are limited to specific facilities, not including a patient’s home.
Rural area-only requirement is waived as well as the restriction on place of service—a patient may be located in any health care facility or the patient’s home.
  Requires use of real-time, interactive, audio-visual telecommunication technology.
Permits use of a telephone with audio/visual capabilities (e.g., smartphone).
Virtual Check-Ins Brief communication from home via various communication technologies including phones that are intended to avoid unnecessary trips to the health care provider (HCP). Virtual Check-Ins are covered without regard to geographic area, but are subject to certain limits relating to services pre- or post-check-in.
No change (but see discussion below about prior relationship with patient).
E-Visits Patient-initiated E-visits with specified professionals through on-line patient portal, including E&M services. E-visits are covered without regard to geographic area. No change (but see discussion below about prior relationship with patient).
Screening of Patients to Determine if Further Care Required
No coverage for screening services, unless the encounter falls into one of the three categories above.
No change.
Payment to Health Care Providers and Originating Site
Payment for covered professional services delivered via applicable technologies made under Medicare Part B Physician Fee Schedule (at the "facility" rate).
No change in payment methodology or rates.
  The originating site is entitled to payment (as described above) for facilitating the interaction.11
No change in payment methodology or rates.
  No payment for internet access charges.
No change.
Beneficiary Cost-Sharing
Deductibles and coinsurance apply.
No change.
See section below regarding recent guidance from the Department of Health and Human Services Office of Inspector General (HHS OIG) announcing the intent to use its enforcement discretion to give HCPs more flexibility to waive cost sharing requirements.
Health Care Providers Eligible for Payment
Generally, any HCP eligible to direct bill Medicare for the service in question may bill for telehealth services. Depending on the service and subject to state law, this includes: physicians, nurse practitioners, physician assistants, nurse midwives, certified nurse anesthetists, clinical psychologists, social workers, and certain other health care professionals.
No change.


Other Key Points

  • Existing Patient Relationship Requirement: Under CPRSAA's new waiver, there is a requirement that the health care professional (HCP) furnishing the telehealth service, or another member of the HCP's group practice, must have furnished covered Medicare services for the beneficiary during the three-year period preceding the telehealth service. Nevertheless, CMS announced that it "will not conduct audits to ensure that such a prior relationship existed for claims submitted during the public health emergency,'12 presumably to avoid denying access to new patients.13
  • What Service May Be Billed: Virtual Check-Ins and E-visits should be reported only if the telehealth encounter did not involve video, the time requirements are met, and, in the case of Virtual Check-Ins, the visit requirements are met. When a telehealth service is furnished, the provider should bill the service that was provided and was medically necessary (e.g., level four established patient visit) and should document accordingly using the current Evaluation and Management Services documentation guidelines (e.g., time or key components). If the patient is a new patient, the new patient visit codes should be reported and history, medical decision making, and time should be documented.
  • Cost-Sharing Obligations: The routine waiver of some or all of patient cost-sharing obligations can potentially implicate the federal Anti-Kickback Statute (AKS), the Beneficiary Inducement Statute (BIS), as well as state fraud and abuse laws. Notably, on March 17, 2020, the HHS Office of Inspector General (OIG) issued a Policy Statement notifying health care providers that, due to the unique circumstances resulting from the COVID-19 outbreak, OIG will not subject providers to administrative sanctions under the AKS or BIS for reducing or waiving any cost-sharing obligations that federal health care program beneficiaries may owe for telehealth services, as long as (1) the services are furnished consistent with applicable coverage and payment rules, and (2) the services are furnished while the COVID-19 Public Health Emergency Declaration is in effect. According to the Policy Statement, OIG also "will not view the provision of free telehealth services alone to be an inducement or as likely to influence future referrals (i.e., OIG will not view the furnishing of subsequent services occurring as a result of the free telehealth services, without more, as evidence of an inducement)."

B. Medicaid

On March 12, 2020, CMS published guidance on Medicaid State Plan Fee-for-Service Payments for Services Delivered Via Telehealth.14 This guidance encourages states to facilitate clinically appropriate care within their state Medicaid programs using telehealth technology to deliver services covered under their state plans, and CMS emphasizes that states have a great deal of flexibility with respect to covering Medicaid services provided via telehealth.

According to this CMS guidance, states are not required to submit a State Plan Amendment (SPA) to pay for telehealth services if payments for services furnished via telehealth are made in the same manner as when the service is furnished in a face-to-face setting. However, a state would need an approved state plan payment methodology (and thus, might need to submit a SPA) to establish rates or payment methodologies for telehealth services that differ from those applicable for the same services furnished in a face-to-face setting. The CMS guidance provides two helpful sample State Plan Fee-for-Service Payment Methodologies for Telehealth.

C. Private Insurance

Private insurance companies have a great deal of flexibility in paying for services delivered via telehealth, and many private insurance companies already offer services via telehealth without the restrictions imposed by the Medicare program. In light of the COVID-19 pandemic, many private insurance companies are waving coinsurance for telehealth services to remove barriers to access and encourage patients to seek medical advice. Practitioners interested in furnishing telehealth services should check with specific private insurers to determine exactly what additional benefits are currently available.

D. Outlook

Although the CPRSAA passed less than two weeks ago, hospital and health care provider groups are requesting that Congress include expanded § 1135 Waiver Authority with respect to telehealth in the next COVID-19 response package. Proposals include:

  • Removing the statutory requirement that a provider must have had an established relationship with a patient in the past three years.
  • Permitting the use of audio-only telephonic interactions, given that not all Medicare beneficiaries have access to a smartphone.

We recommend that stakeholders keep a close eye on future actions by Congress and CMS regarding coverage of telehealth services.

» Return to Top

II. Relaxed HIPAA Regulatory Enforcement

Telehealth raises significant patient privacy concerns, primarily due to the potential data security risks of communicating online about personal health information. On March 17, 2020, the HHS Office for Civil Rights (OCR:) announced that, effective immediately, it will exercise enforcement discretion to waive potential penalties for violations of the privacy, security, and security breach notification regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act for health care providers and their "business associates" serving patients through "everyday communications technologies" during the COVID-19 Public Health Emergency.

As stated by OCR Director Roger Severino, the waiver is needed to empower health care providers to continue to serve patients safely and responsibly, particularly elderly patients and those with serious underlying health conditions, during the COVID-19 Public Health Emergency.

  • Under the waiver, health care providers who want to use audio or video communication technology to provide telehealth to patients during the emergency period may use any non-public-facing remote communication product that is available to communicate with patients. This waiver temporarily relaxes the strict rules for technological security that, under the HIPAA security rule (45 C.F.R. §§ 302-318), would otherwise limit health care providers to the use of technologies with proven security controls.
  • The waiver is not limited to telehealth services related to the diagnosis and treatment of health conditions related to COVID-19. It applies also to the use of telehealth technologies to communicate about entirely unrelated conditions, recognizing that, regardless of the subject of their communications, both providers and patients face increased risk of COVID-19 infection if the communication occurs in-person.

The HIPAA privacy and security rules require that an HCP seeking to use a particular technology channel to communicate with patients must bind the technology vendor to a "business associate agreement" (BAA) that, among other things, requires the vendor to comply with the HIPAA security rules. Those rules set standards for a variety of data-protection controls, such as encryption, access limitations, backup and contingency measures. While some vendors of telehealth technology (e.g.,, Google G Suite Hangouts Meet, Skype for Business, Updox, VSee, and Zoom for Healthcare) have taken steps to comply with the HIPAA security rule and offer HIPAA BAAs, other vendors do not purport to provide the level of data protection mandated under the HIPAA rules.

  • Under the new waiver, it is permissible to use the latter group of vendors (including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype) to provide telehealth during the COVID-19 Public Health Emergency. However, as when communicating with patients at their request through email or text messaging, health care providers should warn patients of the data security risks raised by use of these non-BAA-bound vendors, and providers should enable all available encryption and privacy modes when using such applications.
  • Under the new OCR waiver policy, providers may only use non-public-facing remote communication products without risk of HIPAA penalties during the COVID-19 Public Health Emergency. Use of any public-facing communication product—e.g., Facebook Live, Twitch, TikTok — is not covered by the waiver policy and OCR has expressly prohibited such use for the provision of telehealth by HIPAA-regulated health care providers.

» Return to Top

III. Key Regulatory and Enforcement Considerations

A. Licensure & Scope of Practice

All 50 states and the District of Columbia have laws, regulations, and guidance applicable to telehealth. These policies concern requisite licensure, how to establish valid practitioner-patient relationships (e.g., via face-to-face examination), scope of practice for various clinician types, prescribing authority, and technology requirements. At present, most states require that practitioners engaging in telehealth must be licensed in the state in which the patient is located. However, some states have procedural mechanisms for a practitioner who intends to practice across state lines (e.g., a special license related to telehealth, registration with the state to practice across state lines).

  • In response to COVID-19, state medical boards have begun implementing emergency waivers to practitioner licensure requirements. As of March 17, 2020, 18 states and the District of Columbia have issued state licensure requirement waivers. Although the specifics vary by state, these waivers generally allow out-of-state practitioners to provide medical care in response to COVID-19. Practitioners intending to offer telehealth services across state lines should consult with the Board of Medicine in the state where the patient(s) is located to ensure compliance with state telehealth and practitioner licensure requirements.
  • Additionally, the Federation of State Medical Boards (FSMB) is engaging state medical boards and state health departments to address licensure issues. FSMB has created a Task Force on Pandemic Preparedness that is working to identify, evaluate and maintain current information concerning the preparedness of states to mobilize health care professionals. Arnold & Porter continues to monitor state practitioner licensure requirements, and we anticipate that they will continue to evolve quickly.

B. Establishing Provider-Patient Relationships

Most states require that practitioners and patients have an established "relationship" as a precursor to practitioners' providing treatment. While the American Medical Association (AMA) takes the position that a physician-patient relationship can exist if a face-to-face encounter occurs either in person, or virtually through real time audio-visual technology,15 states vary widely in how they define the physician-patient relationship. Some states require an in-person physical examination at the outset to establish a physician-patient relationship.

  • For example, New Hampshire requires first meeting a patient in person.16 However, other states, such as Kentucky, are more lenient and permit physician-patient relationships to be formed via telehealth.17
  • While there are a number of differences across states, most states require physicians to establish a patient-physician relationship prior to writing a prescription.18 Therefore, despite Medicare's announcement regarding the existing relationship coverage criterion, state law may inhibit use of this flexibility in practice. Practitioners should consult state and federal law prior to providing the services, particularly if the practitioner has not conducted at least one in-person medical evaluation of the patient.

C. Hospital Credentialing

Typically, a distant-site practitioner's qualifications must be evaluated and verified via the originating-site's credentialing process before the HCP may provide telehealth services at that hospital, a process which can take a month or longer and involves a detailed vetting of the provider's professional and personal information. In addition, credentialing requirements often apply at the hospital level: even practitioners credentialed at one hospital within an integrated network may be required to go through the credentialing approval process before being permitted to provide telehealth services at an affiliated hospital. Credentialing requirements are often compelled as conditions of participation for reimbursement from the Medicare, Medicaid, and CHIP programs.19 In addition, state law often requires hospitals to establish a credentialing process that applies to any physician who shall admit or treat patients in that hospital.20

  • §1135 Waiver Authority. Pursuant to subsection (b) of the §1135 Waiver Authority (discussed above), HHS has waived "certain conditions of participation, certification requirements, program participation or similar requirements for individual health care providers or types of healthcare providers" including "a hospital or other provider of services" as well as "pre-approval requirements."21 This waiver appears broad enough to encompass credentialing requirements compelled as conditions of participation for the Medicare, Medicaid, and CHIP programs.
  • Federal and State Exceptions for Telehealth. Additionally, Medicare regulations already permit an exception to normal credentialing requirements for providers furnishing services via telehealth from a distant-site hospital. Sometimes referred to as credentialing "by proxy," the regulations permit hospitals (and other health care organizations) to rely on the provider credentialing and privileging decision made by a distant-site hospital as it relates to a given physician.22 Nevertheless, this exception is subject to certain conditions, such as a written agreement acknowledging the arrangement between the originating-site and distant-site hospitals.23 Similarly, many states may provide for analogous exceptions permitting credentialing by proxy for telehealth services.24 Hospitals are encouraged to review any arrangements that they may maintain with distant-site hospitals regarding credentialing.
  • State Waivers. Additionally, some states permit the waiver of credentialing requirements in the face of health emergencies.25 So far, both Louisiana26 and Texas27 appear to have invoked authorities enabling the temporary waiver of credentialing requirements to some extent. Hospitals are further encouraged to carefully monitor developments from their state governing bodies as it relates to the waiver of credentialing requirements in response to the declaration of national and state public health emergencies.

D. Diagnostic Testing

Many states have laws governing direct consumer access to laboratory testing (DAT laws), which prohibit or restrict clinical laboratories from conducting diagnostic tests without an order from a licensed practitioner. For states with DAT laws, there may be regulatory requirements or guidance concerning whether a practitioner-patient relationship must be established, and whether the diagnostic test order must be generated based on a valid telehealth encounter, in order for the diagnostic test order to satisfy state DAT law requirements. Practitioners intending to order clinical laboratory testing as part of a remote encounter should be mindful to comply with state telehealth requirements and any applicable DAT laws.

E. Informed Consent

There are a variety of contexts in which the sufficiency of informed consent in telehealth is an issue (e.g., Medicaid reimbursement28 and malpractice cases). Given the potential for telehealth to add an additional layer of complexity onto patients' understanding of their care, several states have implemented telehealth-specific informed consent laws. These laws apply to physicians and other licensed professionals, and these laws run the gamut from generally directing that informed consent be obtained29 to mandating that patients be informed of specific concerns, such as that "[t]he quality of transmitted data may affect the quality of services provided by the provider" and that "[t]he knowledge, experiences, and qualifications of the consultant providing data and information to the provider of the telehealth services need not be completely known to and understood by the provider . . . ."30

F. Controlled Substance Prescribing

The federal Ryan Haight Act prohibits dispensing controlled substances via the internet without a "valid prescription." A "valid prescription" must be issued by either a practitioner who has conducted at least one in-person medical evaluation of the patient, or by a covered practitioner. 21 U.S.C. § 829(e)(2)(A). Although there is an exception for prescriptions issued by a "practitioner engaged in the practice of telemedicine," 21 U.S.C. § 829(e)(3)(A), the definition of "practice of telemedicine" is difficult to satisfy, making the telemedicine exception very narrow.

In response to COVID-19, the Drug Enforcement Administration (DEA) issued guidance that, for the duration of the COVID-19 Public Health Emergency, DEA-registered practitioners may issue prescriptions for controlled substances to patients without an in-patient medical evaluation, provided that certain conditions are met. The most notable of these conditions is that the telemedicine communication be conducted using an "audio-visual, real-time, two-way interactive communication system."

States have implemented their own telemedicine controlled substance prescribing laws. For example, subject to limited exception, New Jersey law prohibits the prescription of certain controlled substances through telemedicine unless the prescriber has conducted an initial in-person examination of the patient (and conducts subsequent in-person visits with the patient every three months for the duration of treatment by the prescribed product).31 On the other hand, Indiana expressly permits controlled substance prescribing via telemedicine, without an in-person examination, so long as the prescriber complies with certain specified requirements.32

Practitioners intending to prescribe controlled substances as part of a telehealth encounter should consult state and federal law prior to doing so, particularly if the practitioner has not conducted at least one in-person medical evaluation of the patient.

G. Fraud and Abuse Considerations

With increased government funds comes increased government scrutiny. Once the immediate public health emergency has passed, the US Department of Justice (DOJ), state Attorneys General, and private whistleblowers will inevitably begin to focus on potential fraud.33 Even before the current pandemic, telemedicine had emerged as a new focus for DOJ health care fraud prosecutors. Under the criminal AKS, it is a felony to give or receive "remuneration" as an inducement to refer or order services or items covered by Medicare, Medicaid, and other federal health care programs. In just the past two years, DOJ has announced numerous high-profile kickback prosecutions against telehealth companies and executives, including a nationwide series of indictments in 2019 that alleged over $3 billion in losses from alleged kickback schemes to induce telehealth prescriptions for medically unnecessarily medical devices and genetic testing.34 Telehealth's appeal to private equity investors is also ripe for DOJ scrutiny, given the government's recent pursuit of novel FCA liability theories against private equity firms for the actions of their medical practice investments.35

To ensure compliance with the fraud and abuse laws, parties entering into arrangements related to the provision of telehealth services should carefully consider the federal and state laws that may be implicated and how to structure those arrangements properly. The failure to do can result in civil or criminal penalties. Individuals and entities furnishing telehealth services should, therefore, be on the lookout for any federal and state government updates which can serve as guidance on the fraud and abuse implications of furnishing telehealth services during the COVID-19 Public Health Emergency.

H. Software as a Medical Device (SaMD): FDA Considerations

If entities are implementing software to support telehealth, and in particular software incorporating functionalities such as algorithms or artificial intelligence (AI), to screen or triage patients or guide physician clinical decisions, it is important to bear in mind that certain types of software may constitute an FDA-regulated medical device. Such device status can implicate Food and Drug Administration (FDA) quality system, reporting, and clearance or approval requirements.

Section 3060(d) of the 21st Century Cures Act amended section 201(h) of the Federal Food, Drug, and Cosmetic (FD&C) Act to exempt from device status certain software functions. These include, but are not limited to, a software function that is intended—

  • "for administrative support of a health care facility, including the processing and maintenance of records, including for population health management,"
  • for "general wellness" and that does not relate to a specific disease or condition, such as a device to manage stress,
  • "to serve as electronic patient records, including patient-provided information, to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart, so long as—

(i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such professionals;

(ii) such records are part of health information technology that is certified under section 3001(c)(5) of the Public Health Service Act (the Office of the National Coordinator for Information Technology (ONC) Health IT Certification Program); and

(iii) such function is not intended to interpret or analyze patient records, including medical image data, for the purpose of the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;" and

  • for "transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or device, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings." Such software functions should not modify the data or control or alter the functions or parameters of a connected medical device.

Certain clinical decision support (CDS) software functions are also excluded from the definition of device. Specifically, section 520(o)(1)(E) of the FD&C Act excludes from the definition of device software functions that are:

(1) not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;

(2) intended for the purpose of displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);

(3) intended for the purpose of supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and

(4) intended for the purpose of enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.

In practice, the latter requirement is particularly important. FDA interprets the provision as requiring that the particular software functions be transparent to the clinician, i.e., described in plain language, including: (1) the purpose or intended use of the software function; (2) the intended user, (3) the inputs used to generate the recommendation; and (4) the basis for rendering a recommendation. In order to describe the basis for a recommendation, regardless of the complexity of the software, it must describe the underlying data used to develop the algorithm and include plain language descriptions of the logic or rationale used by an algorithm to render a recommendation. The sources supporting or underlying the basis for the recommendation (e.g., the underlying clinical practice guidelines) should be identified and available to, and understandable by, the intended user. Given the complexities associated with certain software clinical decision support functions—such as those incorporating complex algorithms or AI—this is often not possible, and the software will then be subject to regulation as a medical device.

» Return to Top

IV. Transactional Considerations

The new regulatory flexibilities and coverage changes to address the current public health emergency are enabling health care providers to quickly use commonly available video platforms to deliver telehealth to their patients, as well as laying the foundation for deeper collaborations with technology vendors to deliver more integrated and comprehensive telehealth offerings. Getting telehealth offerings launched quickly may be of paramount importance to protect patients and providers at this time, but consideration of the contractual terms of those arrangements may facilitate longer term success:

  • Make sure the nature of the application is suitable for your telehealth offerings — does it offer the features, functionality, and privacy settings that you are seeking?
  • Confirm that everyone on the care team (e.g., physicians, nurses, educators) has access to the platform.
  • Be mindful of the treatment of patient data as well as provider personnel data. Make sure that privacy and encryption settings are configurable and easily enabled. Understand what types of information may be shared and/or retained by the technology provider and the uses of data being authorized.
  • Carefully consider the provider and patient implications of exclusive arrangements, and opt for non-exclusivity when possible.
  • Mitigate risks and misunderstandings regarding the functioning of the platform through clear disclaimers so that users are aware of privacy, technical or other limitations.
  • Work with the technology provider to limit the impact on patient care of planned and unplanned platform unavailability. Understand how disaster recovery and platform issues will be managed during these challenging times.
  • Make sure that transitioning off the platform is available and easy, particularly given the potentially temporary nature of many of the current telehealth regulatory changes.

» Return to Top

© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. Erin Brodwin, Surge in patients overwhelms telehealth services amid coronavirus pandemic, StatNews (March 17, 2020).

  2. HHS, Declaration of Public Health Emergency (Jan. 31, 2020)

  3. HHS, Press Release, Secretary Azar Declares Public Health Emergency for United States for 2019 Novel Coronavirus (Jan. 31, 2020).

  4. Pub. L. No. 116-123, § 102.

  5. 42 U.S.C. § 1320b-5(b).

  6. CMS, FAQ, Medicare Telehealth Frequently Asked Questions (FAQs) (hereinafter, "CMS Telehealth FAQ") (March 17, 2020); CMS, Fact sheet, Medicare Telemedicine Health Care Provider Fact Sheet (March 17, 2020).

  7. HHS, Press Release, Secretary Azar Declares Public Health Emergency for United States for 2019 Novel Coronavirus (Jan 31, 2020).

  8. This table is based primarily on CMS, Medicare Telemedicine Health Care Provider Fact Sheet (March 17, 2020).

  9. Existing policy is largely based on Social Security Act § 1843(m) {42 U.S.C. 1934m(m)}.

  10. See list of covered services.

  11. See Social Security Administration, Special Payment Rules for Particular Items and Services.

  12. CMS Telehealth FAQ.

  13. On March 19, 2020, the Senate Republicans released a bill, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which includes a provision that would remove the statutory requirement for a prior relationship between provider and patient during the emergency period.

  14. Medicaid Telehealth Guidance.

  15. Id.

  16. NH Revised Statutes Annotated, Sec. 329:1-c.

  17. KY Rev. Statute 218A.010; see also Alabama State Board of Medical Examiners Rule 540 -X-9-.11.

  18. See, e.g., HI Revised Statutes § 329-1; ID Code § 54-1733; IN Admin. Code, Title 844, 5-3-2; KS Admin. Regs., Sec. 68-2-20; KY Revised Statutes § 311.597; ME Regulation Sec. 02-373-6 & 02-383-6.

  19. See, e.g., 42 C.F.R. §§ 482.12(a), 482.22(a) (requiring medical staff credentialing as a condition of participation in the Medicare program).

  20. See, e.g., MD Code Regs.

  21. See Waiver or Modification of Requirements Under Section 1135 of the Social Security Act.

  22. 42 C.F.R. §§ 482.12(a)(8), (9), 482.22(a)(3), (4).

  23. See, e.g., 42 C.F.R. § 482.22(a)(3), (4).

  24. See, e.g., MD Code Regs. (adopting a similar exception and referencing the Medicare conditions of participation regulations).

  25. For example, a Maryland statute permits the state Department of Health, in coordination with state health occupation boards "to develop a process to license, certify, or credential both licensed health care practitioners and out-of-state health care practitioners who may be needed to respond to a catastrophic health emergency." MD. Code. Ann., Health-Gen. § 18-903(c) (emphasis added).

  26. See Proclamation Number 25 JBE 2020 - Public Health Emergency COVID-19 (invoking the Louisiana Health Emergency Powers Act, La. R.S. 29:760, et seq., which permits temporary waiver of credentialing requirements at R.S. 29:764(A)(9)).

  27. See COVID-19 Disaster Licensing for Out-of-State Providers (permitting hospital-to-hospital credentialing of out-of-state physicians).

  28. For example, the California Medicaid program requires healthcare providers to obtain informed consent in order perform telehealth services. See Medi-Cal Telehealth Policy.

  29. See, e.g., Ky. Rev. Stat. Ann. § 311.5975.

  30. Md. Code Regs. (established by the Board of Examiners for Audiologists, Hearing Aid Dispensers, and Speech-Language Pathologists); see also La. Admin. Code tit.46 pt. XLV, § 7511 (requiring "informed of the relationship between the physician and patient and the respective role of any other health care provider with respect to management of the patient" and that the patient be "notified that he or she may decline to receive medical services by telemedicine and may withdraw from such care at any time.")

  31. N.J. Stat. Ann. § 45:1-62(e).

  32. Ind. Code 25-1-9.5-8.

  33. See Lydia Wheeler, Coronavirus False Claims Task Force Urged at Justice Department, Bloomberg Law (Mar. 17, 2020).

  34. DOJ, Press Release, Federal Indictments & Law Enforcement Actions in One of the Largest Health Care Fraud Schemes Involving Telemedicine and Durable Medical Equipment Marketing Executives Results in Charges Against 24 Individuals Responsible for Over $1.2 Billion in Losses (Apr. 9, 2019); DOJ, Press Release, Federal Law Enforcement Action Involving Fraudulent Genetic Testing Results in Charges Against 35 Individuals Responsible for Over $2.1 Billion in Losses in One of the Largest Health Care Fraud Schemes Ever Charged (Sept. 27, 2019).

  35. See Arnold & Porter, "FCA's Reach Gets Longer: Private Equity Firms at Risk," Qui Notes: Unlocking the False Claims Act (Sept. 23, 2019).