United States Government Accountability Office Report to Congressional Addressees MEDICARE September 2022 TELEHEALTH Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks GAO-22-104454 September 2022 MEDICARE TELEHEALTH Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Highlights of GAO-22-104454, a report to Risks congressional addressees Why GAO Did This Study What GAO Found By law, Medicare pays for telehealth In response to the COVID-19 pandemic, the Department of Health and Human services under limited circumstances- Services (HHS) temporarily waived certain Medicare restrictions on telehealth- such as only in certain (mostly rural) the delivery of some services via audio-only or video technology. Use of geographic locations. The waivers and telehealth services increased from about 5 million services pre-waiver (April to other flexibilities that HHS issued in December 2019) to more than 53 million services post-waiver (April to December March 2020 (including under its own regulatory authority) have allowed 2020). Total utilization of all Medicare services declined by about 14 percent services to be safely delivered and post-waiver due to a 25 percent drop in in-person service use. GAO also found received during the pandemic. There is that, post-waiver, telehealth services increased across all provider specialties, stakeholder interest in making these and 5 percent of providers delivered over 40 percent of services. Urban providers changes permanent. GAO and others delivered a greater percentage of their services via telehealth compared to rural have noted that extending them may providers; office visits and psychotherapy were the most common services. increase spending and pose new risks of fraud, waste, and abuse. Telehealth and In-Person Utilization, by Month, April 2019–December 2020 GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients' protected health information during the COVID-19 public health emergency. GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to reviewed federal statutes, CMS monitor some program integrity risks related to the telehealth waivers. However, documents (including its assessment CMS lacks complete data on the use of audio-only technology and telehealth of risks posed by telehealth waivers), visits furnished in beneficiaries' homes. This is because there is no billing and OCR guidance; and interviewed mechanism for providers to identify all instances of audio-only visits. Moreover, agency officials. providers are not required to use available codes to identify visits furnished in What GAO Recommends beneficiaries' homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not GAO is making three comprehensively assessed the quality of telehealth services delivered under the recommendations for CMS to waivers and has no plans to do so, which is inconsistent with CMS' quality strengthen its telehealth oversight, and strategy. Without an assessment of the quality of telehealth services, CMS may one for OCR to provide additional not be able to fully ensure that services lead to improved health outcomes. direction to providers to explain privacy and security risks to patients. HHS In March 2020, HHS's Office for Civil Rights (OCR) announced that it would not neither agreed nor disagreed with the impose penalties against providers for noncompliance with privacy and security three CMS recommendations and requirements in connection with the good faith provision of telehealth during the concurred with the OCR COVID-19 public health emergency. OCR encouraged covered providers to recommendation. notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these View GAO-22-104454. For more information, risks to their patients. Providing such information to providers could help ensure contact Leslie V. Gordon at (202) 512-7114 or GordonLV@gao.gov. that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology. United States Government Accountability Office Contents Letter 1 Background 6 Utilization of and Spending on Telehealth Services Increased Under Waivers; Services Were Concentrated Among 5 Percent of Providers and Beneficiaries 10 CMS Identifies and Monitors Some Program Integrity Risks but Lacks Complete Data about Telehealth Delivery and Has Not Assessed Care Quality 17 Patients May Be Unaware that OCR's March 2020 Telehealth Policy May Not Protect Patient Privacy 29 Stakeholders Believe Telehealth Waivers Enabled Access but Noted Limitations; Most Support Extension 35 Conclusions 40 Recommendations for Executive Action 41 Agency Comments and Our Evaluation 41 Appendix I Objectives, Scope, and Methodology 47 Appendix II Additional Information on Telehealth Utilization 54 Appendix III Overview of Health Insurance Portability and Accountability Act of 1996 Privacy, Security, Enforcement, and Breach Notification Rules 58 Appendix IV Comments from the Department of Health and Human Services 60 Appendix V GAO Contact and Staff Acknowledgments 69 Tables Table 1: Examples of Telehealth Coverage in Traditional Medicare, Before and Starting in or after March 2020 7 Table 2: Stakeholder Groups Interviewed 50 Table 3: Medicare Telehealth Utilization, by Service Type and Select Specialties, 2019 and 2020 54 Page i GAO-22-104454 Medicare Telehealth Table 4: Medicare Telehealth Utilization, by Categories of Services, April–December 2019 and 2020 55 Table 5: Overview of HIPAA Privacy, Security, Enforcement, and Breach Notification Rules 58 Figures Figure 1: Utilization of Medicare Services Delivered via Telehealth or In-person, by Month, April 2019–December 2020 12 Figure 2: Percentage of Medicare Telehealth Services, by Provider Specialty, for Selected Months in 2020 14 Figure 3: Percentage of Providers Delivering Medicare Telehealth Services Compared To In-Person Services, Post-Waiver April 2020–December 2020 15 Figure 4: Percentage of Medicare Telehealth Services Pre- and Post-Waiver, by Provider Location, April 2019–December 2020 16 Figure 5: Medicare Telehealth Services Pre- and Post-Waiver, by Service Type, April 2019–December 2019 and April 2020–December 2020 17 Figure 6: Use of Medicare Telehealth, by Beneficiary Characteristic, April–December 2020 57 Page ii GAO-22-104454 Medicare Telehealth Abbreviations BETOS Berenson-Eggers Type of Service CMS Centers for Medicare & Medicaid Services COVID-19 Coronavirus Disease 2019 HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act of 1996 OCR Office for Civil Rights PHI protected health information This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page iii GAO-22-104454 Medicare Telehealth Letter 441 G St. N.W. Washington, DC 20548 September 26, 2022 Congressional Addressees Since January 2020, the COVID-19 pandemic has resulted in catastrophic loss of life, particularly among older Americans over the age of 65. 1 In response to the COVID-19 pandemic, Congress and the administration have taken actions to protect the health and well-being of Americans. Among these actions, in March 2020, the Department of Health and Human Services (HHS) temporarily waived certain longstanding statutory and regulatory requirements in traditional Medicare to ensure beneficiaries' access to necessary health care via telehealth, while reducing exposure risk to COVID-19. 2 For example, HHS waivers expanded the availability of telehealth services-certain clinical services, such as office visits with primary care and other practitioners, and psychotherapy services-that are normally furnished in person, but instead may be conducted remotely via video, audio-only (i.e., a phone call), or other telecommunication technologies. 3 Typically, by law, Medicare pays for telehealth services under limited circumstances, such as only in certain (mostly rural) geographic locations, and in specific sites of service, such as a hospital or health clinic. 1According to our analysis of data from the Centers for Disease Control and Prevention, more than 74 percent of deaths involving COVID-19 are among individuals age 65 and older, as of June 2, 2022. Centers for Disease Control and Prevention, "Weekly Updates by Select Demographic and Geographic Characteristics," National Center for Health Statistics, accessed June 13, 2022, https://www.cdc.gov/nchs/nvss/vsrr/covid_weekly/index.htm. 2In this report, we examine telehealth services in traditional Medicare fee-for-service, which consists of Medicare Parts A and B. Medicare Part A covers hospital and other inpatient stays. Medicare Part B covers outpatient services including physician, outpatient hospital, and home health care. We did not examine telehealth services in Medicare Advantage-private plans offered in Medicare-because these plans are not subject to the same statutory limitations as traditional Medicare, and they have the flexibility to offer additional telehealth benefits not covered by Medicare outside of the public health emergency. 3For purposes of this report, our definition of telehealth also includes other Medicare- covered services that may only be provided remotely. These include e-visits and virtual check-ins-which the Centers for Medicare & Medicaid Services (CMS) collectively defines as telemedicine-as well as remote patient monitoring services. Under the waivers, providers can use video or audio-only technology to furnish certain services via telehealth. In this report, our references to a telehealth visit, office visit, or service include visits conducted using either video or audio-only technology, unless we specify otherwise. Page 1 GAO-22-104454 Medicare Telehealth The telehealth waivers have allowed providers-physicians and other clinicians-to furnish, and beneficiaries to receive, services safely during the pandemic, and there is interest from provider groups and policymakers in making telehealth waivers permanent. However, as others and we have noted, extending telehealth waivers may increase Medicare spending if the expanded availability of telehealth results in providers furnishing telehealth services in addition to any services they would otherwise furnish in person. The expanded availability of telehealth services under the waivers, including the additional types of providers that can now deliver these services nationwide, may also present new risks of fraud, waste, and abuse. 4 In addition, researchers have raised questions about the extent to which beneficiaries have equal access to telehealth services. Moreover, the use of telehealth technology may present privacy and security risks to Medicare beneficiaries, such as the inappropriate disclosure of beneficiaries' health information. 5 The HHS Office for Civil Rights (OCR) is responsible for administering and enforcing the regulations which protect patients' health information, including Medicare beneficiaries. 6 In March 2020, OCR made changes to 4Fraud involves obtaining something of value through willful misrepresentation. Whether an act is in fact fraud is a determination made through the judicial or adjudicative system. Waste includes overusing services, such as excessive diagnostic testing. Abuse involves actions inconsistent with acceptable business or medical practices. In general, improper payments are payments that should not have been made or were made in the incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Improper payments include payments made as a result of fraud, though not all improper payments are the result of fraud. CMS's program integrity practices include activities such as monitoring the claims submitted by providers to ensure compliance with Medicare coverage requirements, investigating suspected fraudulent activity, and educating providers about proper billing procedures. 5See, for example, Lori Uscher-Pines and Lucy Schulson, "Rethinking the Impact of Audio-Only Visits on Health Equity," Health Affairs (Washington, D.C.: Dec. 17, 2021), accessed June 15, 2022, https://www.healthaffairs.org/do/10.1377/forefront.20211215.549778/full; and Geetter, J. S., et al., "OCR Enforcement Waivers of Certain HIPAA Requirements in Furtherance of Telehealth During COVID-19 Pandemic," National Law Review, vol. XII, no. 166 (2020). 6These regulations (discussed in the Background section of this report) protect certain individually identifiable health information (referred to as protected health information) of individuals, including Medicare beneficiaries. In this report, we refer to this protection as the protection of patients' health information. Page 2 GAO-22-104454 Medicare Telehealth its enforcement of these regulations in an effort to support telehealth use during the public health emergency. The CARES Act includes a provision for us to conduct monitoring and oversight of the federal government's efforts to prepare for, respond to, and recover from the COVID-19 pandemic. 7 We also received a request to review what effect, if any, HHS's approval of telehealth waivers had on the response to COVID-19. 8 This report 1. describes the extent to which utilization of and spending for services approved for telehealth changed after HHS's approval of telehealth waivers in March 2020; 2. examines the Centers for Medicare & Medicaid Services' (CMS) efforts to identify and monitor risks posed by Medicare telehealth waivers; 3. examines a change OCR made to its enforcement of regulations governing patients' protected health information (PHI); and 4. describes the perspectives of stakeholders on Medicare telehealth services under waivers, including the possibility of extending waivers beyond the public health emergency. To describe the extent to which utilization of and spending for telehealth services changed after HHS's approval of telehealth waivers in March 2020, we used the CMS Medicare Part B fee-for-service claims data for 2019 and 2020-the most recently available data for the entire year at the time of our study. We limited these claims to the 309 services approved for telehealth after HHS approval of telehealth waivers. We analyzed aggregate utilization and spending for these services delivered in-person as well as via telehealth. We further analyzed utilization and spending by 7Pub. L. No. 116-136, § 19010(b), 134 Stat. 281, 580 (2020). We have regularly issued government-wide reports on the federal response to COVID-19. For the latest report, see GAO, COVID-19: Current and Future Federal Preparedness Requires Fixes to Improve Health Data and Address Improper Payments, GAO-22-105397 (Washington, D.C.: Apr. 27, 2022). Our body of work related to the CARES Act is available on our website at https://www.gao.gov/coronavirus. 8We previously published a Medicare telehealth enclosure in our November 2020 comprehensive CARES Act report and a testimony on Medicare program flexibilities, including telehealth, before the U.S. Senate Committee on Finance in May 2021. See GAO, COVID-19: Urgent Actions Needed to Better Ensure an Effective Federal Response, GAO-21-191 (Washington, D.C.: Nov. 30, 2020); and Medicare and Medicaid: COVID-19 Program Flexibilities and Considerations for Their Continuation, GAO-21-575T (Washington, D.C.: May 19, 2021). Page 3 GAO-22-104454 Medicare Telehealth provider specialty, service type, and beneficiary characteristics, among other things. 9 We analyzed these data across two time periods: pre- waiver and post-waiver. We defined the pre-waiver period as April 1 through December 31, 2019, and the post-waiver period as April 1 through December 2020. 10 To examine CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, we interviewed agency officials as well as selected stakeholders, and reviewed relevant materials. For example, we reviewed documents such as CMS's COVID telehealth program integrity risk assessment and actions taken to address these risks, CMS's guidance for providers and beneficiaries regarding telehealth, and relevant federal statutes and regulations. 11 We reviewed selected research on telehealth risks, including our prior reports. We also reviewed reports from the Medicare Payment Advisory Commission, HHS Office of Inspector General, and academic researchers. In addition, between November 2020 and January 2022, we interviewed representatives from 26 provider groups and three beneficiary advocacy groups-all of whom have experience, knowledge, and interest in telehealth. See appendix I for additional details on our scope and methodology. We assessed CMS's efforts to identify and monitor risks against CMS's objectives to improve the agency's information about the appropriateness and effectiveness of services delivered via telehealth. For example, we assessed CMS's efforts to evaluate the quality of telehealth services against CMS's quality strategy-specifically, CMS's objective to reduce 9We analyzed utilization and spending across a range of provider specialties, including individual specialties (such as internal medicine and cardiology); broad specialty categories (such as primary care, medical, and surgical); and other clinicians (such as nurse practitioners and physician assistants). 10We chose April because it was the first full month that waivers were in full effect after being issued on March 17, 2020. For additional details on our scope and methodology, see appendix I. 11In its COVID telehealth program integrity risk assessment, which we refer to as the telehealth risk assessment for purposes of this report, CMS officials outlined risks posed by the telehealth waivers and actions taken to address these risks. CMS said that the telehealth risk assessment is updated as new waivers are issued or made permanent. We did not evaluate CMS's risk assessment approach. Page 4 GAO-22-104454 Medicare Telehealth disparities in health care, as well as support evidence-based care and clinical decision making overall. 12 To examine a change OCR made, through its notification of enforcement discretion, to its enforcement of regulations governing patients' PHI, we interviewed agency officials and reviewed relevant materials, including regulations and guidance to providers. 13 We also reviewed selected research about risks to privacy and security. We assessed OCR's efforts to oversee the privacy and security risks for patients' PHI against the Standards for Internal Control in the Federal Government. 14 We also assessed OCR's efforts against the Health Information Technology for Economic and Clinical Health Act, which mandates that HHS increase providers' and patients' understanding of potential uses of their PHI and the effects of such uses, including the use of PHI in telehealth technology. 15 12Centers for Medicare & Medicaid Services, The CMS National Quality Strategy: A Person-Centered Approach to Improving Quality (Baltimore, Md.: June 6, 2022). 13The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act, provides for the creation, enforcement, and monitoring of information security and privacy standards for electronic health data. Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (1996) as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 226 (Feb. 17, 2009). The HIPAA Rules refer to regulations that implement HIPAA promulgated at 45 C.F.R. Parts 160 and 164-the Privacy, Security, Enforcement, and Breach Notification Rules. PHI is individually identifiable health information that is transmitted or maintained by a covered entity or business associate in any form or medium. HIPAA-covered entities include health plans, most health care providers, and health care clearinghouses. Business associates are third parties, such as a telehealth platform vendor, that (1) create, receive, maintain, or transmit PHI on behalf of a covered entity for a covered function; or (2) provide certain services to or for such covered entity, where the services include the disclosure of PHI. 45 C.F.R. § 160.103 (2021). In this report, we refer to HIPAA-covered health care providers as covered providers and individuals as patients. 14See GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept. 10, 2014). Internal control is a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. We determined that the information and communication component of internal controls were significant to this objective, along with the underlying principle that management should communicate quality information with external parties to achieve its objectives and respond to risks. 15Pub. L. No. 111-5, § 13403(b), 123 Stat. 115, 263 (2009). Section 13403 refers to educating individuals about the potential uses of their PHI and the effects of such uses. In this report, we refer to individuals as patients. Page 5 GAO-22-104454 Medicare Telehealth To describe the perspectives of providers and beneficiaries on Medicare telehealth waivers, we interviewed representatives from 29 stakeholder groups-specifically, the provider and beneficiary advocacy groups described above. We conducted this performance audit from July 2020 to September 2022 in accordance with generally accepted government accounting standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background Medicare Provider Fees In traditional Medicare, CMS pays providers a fixed amount for each service they deliver. CMS's Physician Fee Schedule determines how much providers are paid for each service based on estimates of resources for the physician's work (time, skill, and level of training), practice expenses (such as employee salaries, rent, and overhead), and malpractice premiums required to provide a service relative to all other services. Services billed under the fee schedule may be provided in a variety of care sites, including physicians' offices, patients' homes, and institutional settings such as hospitals, and skilled nursing facilities. In addition to physicians, other clinicians-such as nurse practitioners, physician assistants, and clinical psychologists-may bill Medicare for certain services that they are legally authorized to perform under their respective state laws. Providers bill Medicare for their services using a series of 5-digit billing codes to describe the services delivered. 16 Providers indicate the site of service using a 2-digit code. Under the telehealth waivers, providers may indicate the site of service as the place from which they normally furnish services, even if they are furnishing the service from their homes. 16These billing codes are based in part on codes developed by the American Medical Association's Current Procedural Terminology panel, which maintains and updates a list of billing codes that CMS adopts for use. Page 6 GAO-22-104454 Medicare Telehealth Changes to Medicare Section 1135 of the Social Security Act provides authority for the Coverage of Telehealth in Secretary of HHS to temporarily waive or modify Medicare program requirements, among other things, during certain emergencies. 17 In Response to the COVID- response to the COVID-19 pandemic, Congress amended the law to 19 Pandemic expressly include telehealth requirements and further clarify this authority. 18 In March 2020, the Secretary of HHS temporarily waived or modified certain existing Medicare program requirements, and the Administrator of CMS made widespread use of these waivers to expand the availability of telehealth services in traditional Medicare, such as waiving the geographic restrictions on where telehealth services can be delivered. In addition, CMS implemented other flexibilities for telehealth services under its own regulatory authority, such as establishing separate payment for certain audio-only services. For purposes of this report, we collectively refer to these waivers, modifications, and flexibilities as waivers. See table 1 for key examples of these changes. Table 1: Examples of Telehealth Coverage in Traditional Medicare, Before and Starting in or after March 2020 Telehealth coverage Before March 2020 Starting in or after March 2020 Geographic • Beneficiaries must receive services at an eligible • Beneficiaries may be located anywhere nationwide to location and site originating site-typically a medical facility, such as receive services, including their homes. of service a clinic or hospital-that is located in certain, • Providers may deliver services from any site, mostly rural, geographic areas. including their home, without reporting their home • Providers must deliver services from the location in address on their Medicare enrollment and continuing which they are enrolled. to bill from the enrolled location.a Services • Approximately 100 services, including office visits, • Added over 140 services, including new service patient consultations, psychotherapy, and types-physical and occupational therapy, speech preventive health screenings. language pathology-and additional services- emergency department visits and telephone psychotherapy. 17On January 31, 2020, the Secretary of HHS declared a public health emergency for the United States, retroactive to January 27. Subsequently, on March 13, 2020, the President declared COVID-19 a national emergency under the National Emergencies Act and a nationwide emergency under section 501(b) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act. See 50 U.S.C. § 1601 et seq. and 42 U.S.C. § 5121 et seq. These two actions triggered the availability of authority under section 1135 of the Social Security Act for the Secretary of HHS to temporarily waive or modify Medicare program requirements. See 42 U.S.C. § 1320b-5. 18See Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, Pub. L. No. 116-123, Div. B, § 102, 134 Stat. 146, 156; Families First Coronavirus Response Act, Pub. L. No. 116-127, § 6010, 134 Stat. 178, 210 (2020); CARES Act, Pub. L. No. 116-136, § 3703, 134 Stat. 281, 416 (2020). Page 7 GAO-22-104454 Medicare Telehealth Telehealth coverage Before March 2020 Starting in or after March 2020 Eligible • Physicians and other specified providers- • All Medicare eligible providers-including physical providers including nurse practitioners, physician assistants, and occupational therapists, and speech language and clinical psychologists. pathologists. Telehealth • Furnished via video equipment capable of real- • Certain telehealth services-telephone office visits, technology time communication between patient and provider. patient education, and specific behavioral health services-may be furnished via audio-only. Payments and • Providers were paid a lower facility-based payment • Providers are paid the higher non-facility rate or lower fees rate regardless of their location.b facility-based rate based on the site from which the • No payment for audio-only. provider would normally furnish the service.c • Originating sites received a facility fee-nearly $28 • Hospitals may designate patient homes as originating in 2022-for each service. sites and receive the facility fee for telehealth services furnished in hospital outpatient departments. This • Providers collect beneficiary cost sharing for designation takes place when telehealth services are telehealth services. furnished by providers located in hospital outpatient departments, and the patient is located in their home. • Providers may reduce or waive beneficiary cost sharing for telehealth services.d Source: GAO analysis of guidance from the Centers for Medicare & Medicaid Services. | GAO-22-104454 a See Centers for Medicare & Medicaid Services, COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers (Baltimore, Md.: April 7, 2022), accessed June 15, 2022, https://www.cms.gov/files/document/covid-19-emergency-declaration-waivers.pdf; and COVID-19 Frequently Asked Questions (FAQs) on Medicare Fee-for-Service (FFS) Billing (Baltimore, Md.: Feb. 28, 2022), accessed June 15, 2022, https://www.cms.gov/files/document/03092020-covid-19-faqs-508.pdf. For purposes of this report, we use the term providers to mean physicians and other clinicians. b Medicare's Physician Fee Schedule pays providers different rates depending on the site of service. Facility-based services (such as those delivered in a hospital or clinic) are generally paid a lower rate than non-facility (office-based) services because, while the provider's work is the same in both settings, the provider does not incur practice expenses (building expenses, medical supplies, and clinical staff time) in a facility setting relative to those in a non-facility setting. For example, in 2022, the national payment amount for a facility- or non-facility-based office visit that was 30-39 minutes was $98.97 and $129.77, respectively. c For example, providers who bill for a telehealth service that would have normally occurred in an office-based setting are paid the higher non-facility based payment rate. d Department of Health and Human Services Office of Inspector General issued a policy statement notifying providers that, among other things, they will not be subject to administrative sanctions for reducing or waiving Medicare beneficiary copays (a portion of the fee that beneficiaries pay) for telehealth services furnished during the public health emergency. While telehealth waivers were initiated to temporarily expand beneficiary access during the public health emergency, both Congress and CMS have taken actions to make certain provisions permanent or extend them for further study. For example: • In December 2020, Congress passed and the President signed legislation that removed geographic location restrictions and added a beneficiary's home as a permissible site of service for certain mental Page 8 GAO-22-104454 Medicare Telehealth health services furnished via telehealth after the public health emergency ends. 19 • In addition, CMS used its regulatory authority to permanently allow audio-only telehealth for certain mental health services when furnished to established patients in their homes who are unable, or do not consent to, the use of video technology. CMS requires providers to identify such services when billing for them. 20 CMS also used its regulatory authority to extend 64 services approved for telehealth through December 31, 2023 in order to allow additional time for further evaluation, and, as of January 5, 2022, CMS had permanently approved nine services for telehealth. Beneficiary Privacy HHS OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules. These rules establish requirements with respect to the use and disclosure of PHI by covered entities and business associates; require health information privacy and security protections; and establish rights for individuals with respect to their PHI. 21 OCR's responsibilities include creating and implementing regulations and guidance, investigating complaints, breach reports, and conducting compliance reviews; resolving investigations with technical assistance, resolution agreements, corrective actions or civil monetary penalties; and educating the public. 22 In order to transmit PHI via a telehealth platform and comply with HIPAA Rules, 19Consolidated Appropriations Act, 2021, Pub L. No. 116-260, div. CC, tit. I, subtit. B, § 123, 134 Stat. 1182, 2956 (amending 42 U.S.C. § 1395m(m)(7)). See also 86 Fed. Reg. 64,996, 65,666 (Nov. 19, 2021) (to be codified at 42 C.F.R. §§ 410.78(b)(3)(xiv) (adding home as originating site) and 410.78(b)(4)(iv)(D) (removing geographic restrictions)). 20See 86 Fed. Reg. at 65,059, 65,666 (to be codified at 42 C.F.R. § 410.78(a)(3)). According to CMS, the new billing modifier also verifies that the provider has the capability to provide video technology but instead uses audio-only technology due to beneficiary choice or limitations. 21PHI is health information that (1) is created or received by certain entities, including health care providers; (2) relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 22At a patient's first visit with a covered provider, the provider must give the patient a HIPAA notice that includes, among other information, how the provider may use and share their PHI and information about the patient's right to submit a complaint to OCR if the patient believes their privacy rights were violated. (CMS officials told us that, while CMS is also subject to the law's reporting and notification requirements when there is a breach of PHI, CMS defers to OCR in monitoring privacy and security risks with telehealth services.) Page 9 GAO-22-104454 Medicare Telehealth covered providers who deliver services via telehealth generally are required to enter into a business associate agreement with a telehealth platform vendor, where the vendor meets the definition of a business associate. 23 See appendix III for an overview of the HIPAA Rules. Covered providers generally may not use or disclose PHI without patient authorization except as specifically required or permitted in the Privacy Rule-such as for treatment, payment, or health care operations or for public health purposes. Covered providers may also disclose PHI to a business associate if they first enter into a business associate agreement that provides assurances that PHI will be appropriately safeguarded and establishes what uses and disclosures of PHI are permitted by the business associate. Utilization of and Spending on Telehealth Services Increased Under Waivers; Services Were Concentrated Among 5 Percent of Providers and Beneficiaries 23In this report, covered provider is sometimes used instead of covered entity. The HIPAA Rules refer to covered entities. A business associate agreement is a contract between a covered provider and a business associate, including certain telehealth platform vendors used by that covered provider that meets the requirements of 45 C.F.R. § 164.504. If covered providers fail to enter into such an agreement with a business associate before disclosing PHI to the business associate, there is a potential violation of the HIPAA Rules. 45 C.F.R. §§ 164.314, 164.502, 164.508, 164.512 (2021). Page 10 GAO-22-104454 Medicare Telehealth Utilization of and Spending Utilization of telehealth services increased from about 5 million services on Telehealth Services from April to December 2019 to more than 53 million services over the same period in 2020-a tenfold increase (see fig. 1). Consequently, Increased Post-Waivers, Medicare spending on telehealth increased at a similar rate-from more While In-Person Services than $306 million from April to December 2019 to about $3.7 billion over and Overall Utilization the same period in 2020. Overall utilization (telehealth and in-person) on Declined all 309 services in our review declined by about 14 percent from April to December 2020, driven by a 25 percent decline in in-person utilization. 24 Overall spending mirrored this trend. 24Our analysis of CMS data and figures in this report includes telehealth services as well as other services such as virtual check-ins and e-visits that CMS collectively defines as telemedicine. Virtual check-ins are short, patient-initiated communications with a health care practitioner through different technologies, including by phone or video. E-visits are non-face-to-face, patient-initiated communications through an online patient portal. Medicare covered and paid for virtual check-ins and e-visits prior to the pandemic. Our analysis also includes remote patient monitoring services. Page 11 GAO-22-104454 Medicare Telehealth Figure 1: Utilization of Medicare Services Delivered via Telehealth or In-person, by Month, April 2019–December 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the availability of telehealth services in Medicare. Utilization data are for 309 Medicare services that we included in our review. Number of Beneficiaries The increase in services delivered via telehealth reflects the fact that Accessing Telehealth more beneficiaries accessed telehealth services post-waiver. Specifically, the number of Medicare beneficiaries accessing telehealth services Services Increased Post- increased from a total of about 1.5 million during the pre-waiver period of Waiver April to December 2019 to a total of more than 14.2 million post-waiver from April to December 2020. After a peak in April 2020, the number of beneficiaries using telehealth declined each month between May and October 2020, but remained above pre-waiver levels and increased in November and December 2020. Page 12 GAO-22-104454 Medicare Telehealth During the post-waiver period of April to December 2020, 5 percent of beneficiaries accounted for 39 percent of telehealth utilization, and 5 percent of beneficiaries accounted for 11 percent of in-person utilization. Further, 30 percent of beneficiaries accounted for 87 percent of telehealth utilization, compared to 46 percent of in-person utilization. In general, we found slight differences in the characteristics of beneficiaries accessing telehealth services post-waiver. For example, 33 percent of beneficiaries living in rural areas used telehealth, compared to 39 percent of beneficiaries in urban areas. See appendix II for additional details on the characteristics of beneficiaries using telehealth. Psychotherapy and Office The number of services delivered via telehealth increased for all provider Visits Were the Most specialties under the waivers, with mental and behavioral health providers increasing the most and sustaining this increase for the remainder of Common Services 2020 (see fig. 2). 25 Specifically, mental and behavioral health providers Delivered under the delivered around half of their services via telehealth in each month Waivers, with 5 Percent of between April 2020 and December 2020. Providers Delivering 42 Percent of Services Delivery of telehealth services across all other provider specialties, such as primary care and surgical specialties, declined from their peaks in April 2020 but remained elevated compared to January 2020. See appendix II for additional data on telehealth utilization by select specialty. 25Inour analysis of mental and behavioral health providers, we included those who specialize in psychiatry, geriatric psychiatry, psychology, clinical psychology, addiction medicine, clinical social work, and neuropsychiatry. Page 13 GAO-22-104454 Medicare Telehealth Figure 2: Percentage of Medicare Telehealth Services, by Provider Specialty, for Selected Months in 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the availability of telehealth services in Medicare. Utilization data are for 309 Medicare services that we included in our review. a This category largely comprises nurse practitioners and physician assistants, and it also includes services provided by registered dieticians and certified clinical nurse specialists. We categorized nurse practitioners and physician assistants separate from primary care physicians because they have defined scope of practices that are variable between states and medical practices. A provider's scope of practice determines the range of services they are allowed to perform. b We included 41 specialties in this category, including cardiology, neurology, emergency medicine, and hospitalists. From April to December 2020, 5 percent of providers delivered 42 percent of telehealth services, while 5 percent of providers delivered 25 percent of Page 14 GAO-22-104454 Medicare Telehealth in-person services (see fig. 3). In addition, the 10 providers with the most telehealth payments from April to December 2020 were entities that provided remote patient monitoring services. 26 Figure 3: Percentage of Providers Delivering Medicare Telehealth Services Compared To In-Person Services, Post-Waiver April 2020–December 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the telehealth services in Medicare. Utilization data are for 309 Medicare services that we included in our review. During this period, providers in urban locations delivered a greater percentage of their services via telehealth compared to those in rural locations-where, from April to December 2019, telehealth was only available to beneficiaries located in certain, mostly rural, geographic areas (see fig. 4). Specifically, in each month from April 2020 through December 2020, providers in urban locations delivered 14.9 percent of their services by telehealth, on average, compared to 11.1 percent of services for providers in rural locations. The percentage of services delivered via telehealth by urban and rural providers declined from peaks in April 2020, but it remained elevated through December 2020 for all geographic locations compared to pre-waiver levels. 26Nine of these providers are organizations, and one is an individual. Remote patient monitoring involves the collection and analysis of physiologic data from patients that are used to develop and manage a treatment plan related to a chronic or acute health illness or condition. It allows patients to be monitored remotely while in their homes. It also allows for providers to track patients' physiologic parameters (e.g., weight, blood pressure, glucose) and implement changes to treatment as appropriate. Page 15 GAO-22-104454 Medicare Telehealth Figure 4: Percentage of Medicare Telehealth Services Pre- and Post-Waiver, by Provider Location, April 2019–December 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the availability of telehealth services in Medicare. Utilization data are for 309 Medicare services that we included in our review. Office visits (including visits to primary care and other practitioners) and psychotherapy were the most common services delivered via telehealth, accounting for about 80 percent of all telehealth services post-waiver from April to December 2020 (see fig. 5). 27 This was a shift from the pre-waiver period of April to December 2019, when remote patient monitoring accounted for 80 percent of services delivered via telehealth, and office visits and psychotherapy combined accounted for 10 percent. Post- waiver, office visits and psychotherapy services delivered via telehealth increased from approximately half a million to about 43 million, while the number of remote patient monitoring services increased from approximately 4 million to more than 5.1 million. 27To group individual services into services types, we used Berenson-Eggers Type of Service codes, which assigned individual services to broader, readily understood clinical categories, such as office visits for established patients. Page 16 GAO-22-104454 Medicare Telehealth Figure 5: Medicare Telehealth Services Pre- and Post-Waiver, by Service Type, April 2019–December 2019 and April 2020– December 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the availability of telehealth services in Medicare. Utilization data are for 309 Medicare services that we included in our review. To group individual services into broader services types, we used Berenson-Eggers Type of Service codes, which assigned individual services to broader, readily understood clinical categories, such as office visits for established patients. The office visits category includes evaluation and management services for new and established patients, as well as annual wellness visits. In 2020 and 2021, CMS took actions to address program integrity risks it CMS Identifies and identified in a risk assessment of the new telehealth waivers. These Monitors Some actions included monitoring claims for suspicious billing patterns. However, CMS does not have complete data about the extent to which Program Integrity services are being delivered via telehealth, and the agency has not Risks but Lacks assessed the quality of telehealth services. Complete Data about Telehealth Delivery and Has Not Assessed Care Quality Page 17 GAO-22-104454 Medicare Telehealth CMS Took Actions to CMS told us that, in April 2020, they began an assessment that identified Monitor Some Program risks introduced by the new telehealth waivers and developed actions to address them. 28 In its assessment, CMS identified risks that included Integrity Risks, Including fraud, waste, and abuse; improper payments; and increased federal Investigating Potentially spending if telehealth services are provided in addition to in-person Problematic Providers and services. CMS also identified concerns about the quality of telehealth Identifying Long-Term services, including the risk of patient harm from the waivers and Effect on Spending flexibilities. CMS officials told us that following this assessment, in 2020 and 2021, the agency implemented new actions to monitor telehealth services, investigate problematic providers, and educate providers on how to appropriately bill for telehealth services. These efforts are largely built on longstanding monitoring efforts to prevent fraud, waste, and abuse and reduce improper payments. They have been adapted to address issues identified in CMS's telehealth risk assessment. For example, CMS would monitor telehealth services that result in the ordering of expensive items or services at levels not otherwise expected for that provider type, such as genetic testing and durable medical equipment, which could indicate potential fraud. CMS has stated that it is too early to fully assess the effectiveness of its actions. Several of CMS' actions to monitor telehealth services are likely to help the agency identify the program integrity risks associated with increased spending and ensure that telehealth services comply with Medicare policies. However, CMS officials said that the long-term effects of increased telehealth delivery cannot be known for several years. For example, CMS officials said that it is too soon to determine how many and which types of telehealth services were provided in addition to- rather than in place of-in-person services. 29 Continued monitoring will be important, as researchers have raised concerns about the risks of increased spending due to telehealth waivers. 28CMS officials said that they first identified program integrity risks associated with each type of waiver or flexibility. Next, they applied risk scores (high, medium, or low) to each of three metrics-amount of dollars at risk, likelihood of occurrence, and the potential for patient harm. These scores were used to calculate an overall risk. Finally, officials said that they developed and implemented actions to address each of the risks. 29The Secretary of HHS first declared the COVID-19 public health emergency on January 31, 2020, and renewed this determination ten times. The public health emergency was most recently renewed on July 15, 2022, and expires October 13, 2022. In addition, the Consolidated Appropriations Act, 2022, allows for certain telehealth waivers to extend 151 days-about 5 months-after the public health emergency ends. See Pub. L. No. 117- 103, div. P, tit. III, subtit. A, §§ 301-06, 136 Stat. 49, 804-07. Page 18 GAO-22-104454 Medicare Telehealth Specifically, as we have noted, utilization and spending are more likely to increase in the long term if beneficiaries access telehealth in addition to traditional in-person visits, rather than instead of them. 30 For example: • Our analysis identified a marked increase in Medicare telehealth utilization and spending in 2020 after the new telehealth waivers, which remained above pre-waiver levels while in-person visits resumed. • A study from HHS Office of the Assistant Secretary for Planning and Evaluation reported similar findings. 31 • Some studies have also shown that telehealth can be additive; for example, a 2017 study of Medicare beneficiaries' use of telehealth services for mental health concluded that these services added to, rather than substituted for, in-person services. 32 CMS Cannot Fully Track Audio-only visits. CMS tracks the utilization of telehealth services on an Telehealth Visits That Are annual basis for policy-making and payment purposes. For example, CMS may approve new services for telehealth by comparing them with Audio-Only or Furnished in existing telehealth services, including the telecommunication technology Beneficiaries' Homes (audio-only or video) used. CMS may also temporarily add services for Because of Billing which there is likely to be a clinical benefit, but there is not yet sufficient Limitations evidence available to make the additions permanent. 33 CMS, therefore, needs to have accurate and complete data on utilization of telehealth services, particularly the type of telecommunication technology used to deliver them. However, the agency does not have data on the total number of audio-only office visits, and there is no other mechanism for providers to indicate that an audio-only visit was delivered when they use 30See GAO-21-191 and GAO-21-575T. 31Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Issue Brief: Medicare Beneficiary Use of Telehealth Visits: Early Data from the Start of the COVID-19 Pandemic (Washington, D.C.: July 28, 2020). 32A. Mehrotra, et al., "Rapid Growth in Mental Health Telemedicine Use Among Rural Medicare Beneficiaries, Wide Variation Across States," Health Affairs, vol. 36, no. 5 (2017): 909–917. 33CMS maintains a list of Medicare telehealth services at https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth- Codes. Typically, this list is updated through the rulemaking process. During the public health emergency, the agency modifies the list through subregulatory guidance, taking into consideration patient safety and other public health concerns. See 42 C.F.R. § 410.78(f) (2021). See also 85 Fed. Reg. 19,230, 19,233 (April 6, 2020) (discussing criteria for adding services to telehealth list). Page 19 GAO-22-104454 Medicare Telehealth other most commonly used billing codes for these visits. Also, in some circumstances, providers may use their discretion when assigning billing codes. 34 Effective March 1, 2020, CMS approved payment for six billing codes for audio-only visits during the public health emergency. 35 In its guidance, CMS encouraged providers to use these codes, but it did not require them to do so. In instances where a visit begins with video technology and then shifts to audio-only due to technological challenges, CMS directed providers to use the billing code that best describes the visit, whether that is audio-only or video technology. The billing codes that providers could use in these circumstances are the 10 existing commonly used billing codes for office visits delivered using video technology instead of the six suggested codes. 36 CMS officials told us that the 10 existing codes are not approved for audio-only visits. However, these are the only alternate set of office visit codes available for billing in situations where the visit begins as a video visit and shifts to audio-only technology. When they use these 10 codes, providers are directed to apply a 2-digit billing modifier to indicate it as a service delivered by video-technology, but there is no modifier or other mechanism to designate an audio-only visit. Without a billing modifier or another mechanism to identify audio- only visits, Medicare claims data likely do not fully reflect the extent to which audio-only visits were delivered. In addition, recent surveys and provider groups we interviewed suggest that providers may be using the 10 existing office visit billing codes for audio-only visits. To the extent that providers use these codes for audio- 34See Centers for Medicare & Medicaid Services, COVID-19 Frequently Asked Questions (FAQs) on Medicare Fee-for-Service (FFS) Billing (Baltimore, Md.: Feb. 28, 2022). 35These billing codes are 99441 through 99443 (telephone evaluation and management service provided by a physician to an established patient) and 98966 through 98968 (telephone assessment and management service provided by a qualified nonphysician health care professional to an established patient). 36The 10 billing codes are 99201 through 99205 (Office or other outpatient visit for the evaluation and management of a new patient), and 99211 through 99215 (Office or other outpatient visit for the evaluation and management of an established patient). For purposes of this report, we refer to these visits as office visits. The visits in each series range in time and complexity from routine visits with 5 minutes to up to 60 minutes with complex medical decision-making. About half of office visits were billed under the lower- complexity codes in 2020 with one code-99213-accounting for over 40 percent of office visits. (Medicare has since discontinued payment for code 99201 as of January 1, 2021.) Page 20 GAO-22-104454 Medicare Telehealth only visits, Medicare claims data will overstate the number of video visits and undercount the number of audio-only visits. Specifically, • Our analysis of claims data from April through December 2020 shows that less than one-third of telehealth visits were audio-only visits (about 10.5 million of approximately 33 million) billed under the six audio-only visit codes. In contrast, three provider groups that we interviewed-including a provider group representing the third largest specialty billing Medicare for telehealth services in 2020-stated that audio-only visits represented the majority of telehealth visits for provider practices in their respective specialties, and 19 of the 26 provider groups told us that audio-only visits were critical to ensuring beneficiary access to care. • Similarly, our analysis of claims data showed that about 28 percent of beneficiaries received exclusively audio-only services from July 1 through September 30, 2020, compared to 56 percent as reported in the Medicare Current Beneficiary Survey for about the same time period. 37 The magnitude of this difference suggests that telehealth claims may not fully reflect audio-only visits. • A recent survey of Medicare beneficiaries reported that the majority (51.9 percent) of their telehealth visits were audio-only for the period from July 21, 2021, through October 11, 2021, indicating that these trends continued into the second year of the pandemic. 38 • Some provider groups we interviewed described that during the pandemic, a telehealth visit may begin with video technology but shift to audio-only because of technological challenges such as unstable internet access, beneficiary problems accessing the telehealth 37The survey is based on a nationally representative sample of Medicare beneficiaries who were asked about the type of telehealth technology used in the telehealth services they received. The survey was conducted from October 5, 2020, through November 15, 2020. See Wyatt Koma, Juliette Cubanski, and Tricia Neuman, Medicare and Telehealth: Coverage and Use During the COVID-19 Pandemic and Options for the Future (Washington, D.C.: Kaiser Family Foundation, May 19, 2021), accessed June 27, 2022, https://www.kff.org/medicare/issue-brief/medicare-and-telehealth-coverage-and-use- during-the-covid-19-pandemic-and-options-for-the-future/. 38See Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Issue Brief: National Survey Trends in Telehealth Use in 2021: Disparities in Utilization and Audio vs. Video Services (Washington, D.C.: Feb. 1, 2022). Page 21 GAO-22-104454 Medicare Telehealth platform, or lack of familiarity with how to use it. 39 They noted that there may be some confusion about appropriate billing for audio-only visits due in part to the number of codes that could be used (including the 10 existing office visit codes as well as the six new audio-only codes). As a result, providers may have used either sets of codes. Further, some providers stated that when the 10 existing codes were used, there was no modifier to indicate the visit was audio-only. 40 It is important for CMS to have accurate data on audio-only visits to make fully informed policy and payment decisions, and because research suggests that audio-only services may not be equivalent to the quality of in-person services. 41 Research also raises concerns about equitable access to telehealth services, especially video technology. 42 In addition, the relative cost of audio-only visits is likely to be less than in-person 39These views were also corroborated in a recent physician telehealth survey conducted from November 1 through December 31, 2021. Specifically, according to the survey, physicians perceive technology, digital literacy, and broadband internet access as the top three patient barriers to using telehealth. The survey also reported that audio-only telephone visits were the most commonly used telehealth platforms. See American Medical Association, 2021 Telehealth Survey Report (Washington, D.C.: 2022). 40CMS has recently implemented a comparable billing modifier for certain audio-only visits. Specifically, effective January 1, 2022, CMS is requiring a billing modifier for 48 services-mostly mental health and substance use disorder services-that were approved for audio-only technology. See Centers for Medicare & Medicaid Services, MLN Matters: CY2022 Telehealth Update Medicare Physician Fee Schedule, MM12549 (Baltimore, Md.: Jan. 14, 2022). However, CMS does not require a billing modifier for another 39 services, which were also approved as audio-only telehealth services. On July 29, 2022, CMS proposed to require the use of a billing modifier to identify all Medicare services that are furnished using audio-only technology effective January 1, 2023. See 87 Fed. Reg. 45,860, 45,900 (proposed July 29, 2022). 41Lori Uscher-Pines and Lucy Schulson, "Rethinking the Impact." 42A February 2022 HHS Office of the Assistant Secretary for Planning and Evaluation report found disparities in audio-only vs. video telehealth access by race/ethnicity, age, education, income, and health insurance coverage. Additionally, the report noted that while audio-only visits may provide access to care, video appointments may allow a partial physical exam, nonverbal communication, and a stronger patient-provider relationship. Further, video visits may allow the provider to check on a patient's home environment. See Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Issue Brief: National Survey Trends in Telehealth Use in 2021. For additional information about equitable access to telehealth services, see GAO-21-575T. Page 22 GAO-22-104454 Medicare Telehealth visits, although Medicare currently pays the same fees for them as for comparable in-person visits. 43 Without a billing modifier and guidance clarifying when providers should use it to identify audio-only telehealth services, CMS cannot track utilization and spending on audio-only visits that were billed under the 10 existing office visit codes, review the appropriateness of payments for such services, or evaluate the quality of the services provided. 44 This lack of data is inconsistent with CMS' objectives to improve the information it has about the appropriateness and effectiveness of services delivered via telehealth. Site of service. CMS also does not have complete data on the extent to which telehealth services are delivered in beneficiaries' homes because the agency does not require the use of a code to identify this site of service. Such data are needed to allow the agency to track the quality of services provided in beneficiaries' homes, which may not be the same as services provided in physicians' offices or other medical settings. For example, three provider groups told us that beneficiaries may lack privacy to discuss their medical conditions in their own homes. The data are also needed to help policymakers assess whether to extend beyond the COVID-19 public health emergency the waivers expanding access to telehealth services delivered in beneficiaries' homes, and whether any payment differentials are warranted for these services. 45 Prior to the waivers, CMS could track the site where beneficiaries received telehealth services because they generally had to travel to an eligible traditional originating site such as a hospital or clinic, which then 43The resource requirements are lower because the physician does not incur direct costs such as equipment, supplies, and time spent by clinical and other staff in taking vital signs and cleaning the room for the visit. 44When asked how the agency would monitor audio-only visits billed under the 10 office visit codes, CMS officials indicated that Medicare contractors would deny payment for claims that did not comply with telehealth requirements, if they encountered such claims during their post-payment medical reviews conducted to detect improper payments as well as potential fraud, waste, and abuse. However, these post-payment claims reviews have limitations, including small sample sizes. 45Medicare generally pays an equivalent amount for professional services regardless of whether they are delivered in person or via telehealth in a beneficiary's home. See 42 U.S.C. § 1395m(m)(2)(A). In addition, by waiver during the public health emergency, a hospital may, under certain circumstances, bill an originating site facility fee regardless of whether the patient receives the telehealth service from home or the hospital. Page 23 GAO-22-104454 Medicare Telehealth billed an originating site fee for the use of its facility. Beneficiaries typically could not receive telehealth services in their homes. Under the waivers, however, beneficiaries may receive services in their homes. Our analysis of CMS data show that of the more than 53 million telehealth services delivered from April to December 2020, about 0.5 percent (252,000) of these telehealth services were delivered at originating sites. 46 Therefore, more than 99 percent of services were likely received in beneficiaries' homes. CMS cannot track them as such because providers do not use a code on the claim to denote the actual site of service was the home. CMS has two site of service codes available that providers could use to designate services furnished in beneficiaries' homes or elsewhere. However, CMS does not currently require providers to use these codes when billing Medicare for telehealth services during the public health emergency. 47 Specifically, in October 2021, CMS released guidance stating that the site of service codes are not required because the agency does not need that level of specificity in order to pay Medicare telehealth claims appropriately. However, as of January 2022, CMS has implemented a modifier that tracks audio-only mental health services received in beneficiaries' homes. Moreover, some of the telehealth visits that are coded as taking place at a medical facility originating site may actually take place at a beneficiary's home, because hospital outpatient departments may designate the hospital as the originating site in certain circumstances when billing for telehealth services under the waivers. In instances when providers deliver telehealth services from their home during the public health emergency, CMS instructs providers to code the site of service as the same location from which services are normally delivered, such as a provider's office. 46We determined this by counting the number of times the healthcare common procedure coding system code Q3014 was billed. The code is used to bill for a telehealth originating site facility fee when a beneficiary accessed telehealth services from a health care facility or clinic. If the beneficiary receives the telehealth service at home, there would be no facility to bill the code. 47See Centers for Medicare & Medicaid Services, MLN Matters: New/Modifications to the Place of Service (POS) Codes for Telehealth, MM12427 (Baltimore, Md.: Oct. 13, 2021). On July 29, 2022, CMS proposed to require physicians and other practitioners, in general, to use these site of service codes for Medicare telehealth services performed on or after the 152nd day after the end of the public health emergency, such as to indicate whether a Medicare service was provided via telehealth in a patient's home or elsewhere. Exceptions apply. See 87 Fed. Reg. 45,860, 45,899 (proposed July 29, 2022). Page 24 GAO-22-104454 Medicare Telehealth Because CMS does not require the use of codes to identify the home as a site of service, it lacks complete site of service data. As a result, the agency does not know where each service is provided or delivered. This hampers CMS's ability to fully track and study telehealth utilization and identify or monitor risks related to differing sites of service. The lack of accurate data is inconsistent with CMS' objectives to improve the information it has about the appropriateness and effectiveness of services delivered via telehealth. CMS Has Not In its risk assessment of the new telehealth waivers it conducted in 2020, Comprehensively CMS noted that expanding access to telehealth services could potentially affect the quality of care. 48 CMS officials told us the agency has not Assessed the Quality of comprehensively assessed the quality of telehealth services and has no Services Delivered Using plans to do so. Telehealth CMS has taken some steps to assess the quality of services delivered via telehealth. However, it has not outlined a comprehensive plan for how it intends to use these efforts to inform policy making on coverage of Medicare telehealth services during and after the public health emergency. For example, in an effort to help stakeholders identify telehealth measures that are available for use, CMS funded the National Quality Forum to develop a framework for quality measurement assessing the effect of telehealth on health care system readiness and health outcomes during emergencies in rural areas. The resulting report, issued in November 2021, includes 10 recommendations to guide current and future priorities, such as 26 existing measures that could be used to assess telehealth care provided in rural areas and 14 measure concepts for future measure development. 49 CMS officials told us in December 2021 that they have no current plans to act on recommendations in the National Quality Forum's report, nor do they have plans to continue this work with the National Quality Forum because the targeted focus of the work was on emergency telehealth services in rural areas. Officials said that developing quality measures for telehealth more broadly involves longitudinal studies to track outcomes across patient populations. Officials 48According to CMS officials, they did not comprehensively identify quality risks of waivers as part of their telehealth risk assessment. They noted quality was one of a variety of factors that they considered when assessing program integrity risks, and they largely considered quality from a potential patient harm point of view, rather than an in-depth qualitative or quantitative analysis. 49National Quality Forum, Rural Telehealth and Healthcare System Readiness Measurement Framework - Final Report (Washington, D.C.: 2021). Page 25 GAO-22-104454 Medicare Telehealth told us that the National Quality Forum had also published a report on quality measures based on funding from HHS in 2017 that will serve as a foundation for future efforts by stakeholders to advance quality measurement for telehealth. 50 In addition, for the 2021 performance period, CMS collected data on in- person and telehealth encounters across 39 electronic clinical quality measures for services delivered via telehealth, including measures for preventive care screening for depression, childhood immunizations, and initiation and engagement of alcohol and other drug dependence treatment. 51 However, CMS officials noted these data are currently not structured or reported in a way that provides them with data on whether these encounters were in-person or via telehealth. As a result, according to CMS officials, they currently cannot differentiate a telehealth visit from an in-person visit using these 39 measures. CMS officials also shared examples of efforts by other HHS agencies to gather data on the quality of telehealth services. For example, according to CMS officials, the Agency for Healthcare Research and Quality-a federal agency focused on producing evidence to improve healthcare- has a forthcoming report examining studies of telehealth completed during COVID-19. In addition, the Health Resources and Services Administration-a federal agency focused on improving health outcomes and achieving health equity-has requested additional funds in fiscal year 2023 to improve its telehealth data collection infrastructure at its facilities. 52 CMS has not outlined a comprehensive plan for how it intends to incorporate these efforts into policy-making decisions for Medicare 50National Quality Forum, Creating a Framework to Support Measure Development for Telehealth (Washington, D.C.: 2017). 51Each year, eligible providers participate in CMS quality reporting programs where providers can use electronic clinical quality measures to submit data. These measures use data from electronic health records or health information technology systems to measure health care quality. For a complete list of all 39 measures, see Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, Telehealth Guidance for Electronic Clinical Quality Measures for Eligible Professional/Eligible Clinician 2021 Quality Reporting (Washington, D.C.: Sept. 2020). 52Also, the Centers for Disease Control and Prevention-a federal agency focused on responding to public health emergencies-began collecting data in 2018 on office-based providers' use of telehealth in their practice, including about challenges and quality. Page 26 GAO-22-104454 Medicare Telehealth telehealth services. A comprehensive assessment of telehealth quality could include these ongoing efforts. Further, CMS officials told us in March 2022 that the agency has no plans to assess the quality of services delivered using telehealth under the waivers, because CMS' priority has been to use its available resources to limit beneficiary and provider exposure to COVID-19 and ensure appropriate access to care. Without an assessment of the quality of telehealth services delivered under the waivers, CMS is not adhering to its own quality strategy and its objectives to improve the information the agency has about the appropriateness and effectiveness of services delivered via telehealth. 53 An assessment of the quality of telehealth services also would help CMS collect and review available data on the quality of services by beneficiary characteristics, such as race and ethnicity. Such data could help CMS achieve its objective to reduce disparities in health care, as well as support evidence-based care and clinical decision making overall. We previously reported that the quality of telehealth services provided to Medicare beneficiaries has not yet been evaluated, and evidence from research conducted prior to COVID-19 and the issuance of telehealth waivers is mixed. 54 For example, in May 2020, the Agency for Healthcare Research and Quality concluded that telehealth can improve quality of care when used for monitoring patients with chronic conditions and providing psychotherapy services. 55 In its March 2021 report, the Medicare Payment Advisory Commission concluded that it is not yet known how the combination of telehealth and in-person care affects quality. 56 53Centers for Medicare & Medicaid Services, The CMS National Quality Strategy: A Person-Centered Approach to Improving Quality (Baltimore, Md.: June 6, 2022). 54GAO-21-575T. 55Agency for Healthcare Research and Quality, The Evidence Base for Telehealth: Reassurance in the Face of Rapid Expansion During the COVID-19 Pandemic (Rockville, Md.: 2020). 56Medicare Payment Advisory Commission, "Chapter 14: Telehealth in Medicare after the coronavirus public health emergency," in Report to Congress: Medicare Payment Policy (Washington, D.C.: March 2021). Page 27 GAO-22-104454 Medicare Telehealth Evaluating the quality of telehealth is important because some evidence suggests that the quality of this care, particularly audio-only services, may vary. 57 In addition, many provider groups with whom we spoke told us that, during the pandemic, providers considered multiple factors before deciding to use telehealth, including the patient's condition and need for physical exam, patient and provider preferences, and clinical guidelines. However, two provider groups also remarked on the lack of clinical guidelines to determine the appropriate use of telehealth services, including when it may be appropriate to furnish audio-only telehealth services. The lack of clinical guidelines may create variability in clinical decision-making that could affect the quality of care. One provider group noted that providers need to know when to use telehealth-when it is not used appropriately, quality of care is at risk. Without an assessment of the quality of services delivered to Medicare beneficiaries via telehealth, CMS may not fully be able to ensure services are medically necessary, equitable, and lead to improved health outcomes. An assessment of the quality of Medicare telehealth services is important, given providers receive the same payment whether or not telehealth services are provided via video or audio-only during the public health emergency. Further, there is interest from provider groups and policymakers in making some telehealth flexibilities permanent, and a CMS assessment of the quality of services could help inform decisions about the future of telehealth in the Medicare program. The Consolidated Appropriations Act, 2022 requires the Medicare Payment Advisory Commission to submit a report that includes an analysis of the implications of expanded Medicare coverage of telehealth services on beneficiary access to care and the quality of care, to the extent reliable data are available. See Pub. L. No. 117-103, div. P, tit. III, subtit. A, § 308(a), 136 Stat. 49, 807. 57With concerns raised about the quality of care delivered to Medicaid beneficiaries via telehealth, in March 2022, we recommended that CMS collect and analyze the information needed to assess the effect delivering services via telehealth has on the quality of care Medicaid beneficiaries receive. HHS neither agreed nor disagreed with this recommendation. See GAO, Medicaid: CMS Should Assess Effect of Increased Telehealth Use on Beneficiaries' Quality of Care, GAO-22-104700 (Washington, D.C.: Mar. 31, 2022). Page 28 GAO-22-104454 Medicare Telehealth In March 2020, OCR issued a notification of enforcement discretion Patients May Be outlining a modification to its enforcement of HIPAA Rules during the Unaware that OCR's public health emergency. 58 For the purposes of this report, we consider the Telehealth Notification to be most applicable to video telehealth March 2020 platforms, as opposed to data applications such as remote patient Telehealth Policy May monitoring devises. The notification allows covered providers to engage in good-faith use of any non-public-facing communication product to Not Protect Patient conduct telehealth visits, without the risk OCR might seek to impose a Privacy penalty against covered providers for noncompliance with the HIPAA Rules. This includes the requirement for the provider to have a business associate agreement with the telehealth platform vendor. The lack of such a business associate agreement may increase the privacy and security risks of using telehealth technology-specifically, that a patient's PHI may be inappropriately disclosed without their knowledge. (See text box for definitions related to HIPAA.) 58See Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency, 85 Fed. Reg. 22,024 (Apr. 21, 2020) (effective March 21, 2020). We refer to this notification as the Telehealth Notification. OCR officials told us that the Telehealth Notification covers non-public- facing audio or video communication products-which we refer to collectively as telehealth platforms. As noted earlier, CMS does not monitor privacy and security risks related to telehealth services. Page 29 GAO-22-104454 Medicare Telehealth Definitions Related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • HIPAA covered entities include health plans, most health care providers, and health care clearinghouses. • Protected health information (PHI) includes individually identifiable health information that is transmitted or maintained by a covered entity or business associate in any form or medium. Examples of PHI include communication between a provider and patient, such as oral conversations, transcripts, and images. PHI is health information that has the following characteristics: 1. Is created or received by certain entities, including health care providers; 2. Relates to an individual's past, present, or future physical or mental health condition; the provision of health care; or the payment for the provision of health care; and 3. Identifies the individual or can be used to identify the individual. • Business associates are third parties, such as a telehealth platform vendor, that create, receive, maintain, or transmit PHI on behalf of a covered entity for a covered function. Business associates may also provide certain services to or for such covered entity, where the services include the disclosure of PHI. • A business associate agreement is a contract between a covered entity and a third party used by that covered entity that meets certain requirements. Covered entities may disclose PHI to a business associate if they first enter into a written contract that provides assurances that PHI will be appropriately safeguarded. If covered entities fail to enter into such an agreement with a business associate, they are in violation of the HIPAA Rules. Source: GAO analysis of 45 C.F.R. Parts 160 and 164. | GAO 22 104454 In its Telehealth Notification, OCR explained that its enforcement discretion under the HIPAA Rules was to promote the good-faith provision of telehealth services during the public health emergency. Specifically, OCR officials said that they opted to exercise enforcement discretion for telehealth so that providers could continue treating their patients during the public health emergency and patients could access care safely. 59 OCR officials acknowledged the additional privacy and security risks of allowing platforms that may not comply with HIPAA to be used for telehealth. OCR officials told us that they intended for the Telehealth Notification to serve as a bridge from the public health emergency to a point after the public health emergency when all providers could transition to telehealth platforms that meet all of the HIPAA Rules requirements. 60 The Telehealth Notification stated that OCR will not impose penalties for noncompliance with the HIPAA Rules against covered providers in 59See 85 Fed. Reg. 22,024 (Apr. 21, 2020) (effective March 21, 2020). 60OCR officials told us that ending its enforcement discretion prior to the end of the public health emergency would cause confusion, and they plan to notify the public when the Telehealth Notification no longer applies. Page 30 GAO-22-104454 Medicare Telehealth connection with the good-faith provision of telehealth using non-public- facing remote communication products. OCR officials told us that, though they are not imposing penalties for noncompliance that falls within the scope of the Notification, they may investigate HIPAA complaints reported to OCR related to telehealth. For example, OCR may investigate a complaint where a covered provider used a public-facing telehealth platform, such as Facebook Live, Twitch, or TikTok, which are not permitted under the Telehealth Notification. As part of the investigative process, OCR can provide technical assistance to covered entities to support their attainment of compliance with the HIPAA Rules. Under OCR's Telehealth Notification, providers may use any non-public- facing remote communication product, such as Apple FaceTime, Facebook Messenger, or Zoom, that are available to communicate with patients to provide telehealth services-without risk that OCR might seek to impose a civil monetary penalty for noncompliance with the HIPAA Rules. OCR described that these kinds of telehealth platforms typically employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see and hear what is transmitted. These platforms also use individual user accounts, logins, and passcodes, which help limit access and verify participants. 61 In addition, OCR identified some platforms whose owners represent that they provide HIPAA-compliant communication products and will enter into a business associate agreement-such as Zoom for Healthcare and Skype for Business. In its Telehealth Notification, OCR did not endorse, certify, or recommend specific telehealth platforms. 62 The Telehealth Notification acknowledges that some telehealth technologies-including those that OCR said covered providers could use-Apple FaceTime, Facebook Messenger, and Zoom-and the manner in which they are used by HIPAA-covered health care providers, 61See Department of Health and Human Services, Office for Civil Rights, Frequently Asked Questions on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency, Washington, D.C.: 2020), accessed July 7, 2022, https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf. 62OCR officials told us they did review some business associate agreements and industry reports to identify criteria for the good-faith use of telehealth platforms-such as using non-public-facing telehealth platforms. However, these reviews did not examine the legal sufficiency of these agreements or the extent of their HIPAA-compliance. OCR officials told us they lack the legal authority to compel the production of business associate agreements outside of the investigative process and the resources to review all such agreements. Page 31 GAO-22-104454 Medicare Telehealth may not fully comply with the requirements of the HIPAA Rules. 63 For example, according to OCR officials, in situations in which covered providers use telehealth platforms without entering into a business associate agreement, the provider and the patient do not have assurance of the HIPAA Rules protections that would otherwise be required under such an agreement. 64 According to OCR officials, when telehealth platforms are used for a health care visit, the communication between the provider and patient is subject to the HIPAA Privacy Rule. If the communication also involves the electronic transmission of PHI over the telehealth platform, it is subject to the HIPAA Security Rule. 65 However, according to OCR, the primary • privacy risks are that the oral conversation will be overheard, or the telehealth platform vendor will inappropriately use or disclose information-such as a transcript or image (e.g., a digital x-ray that includes PHI, such as the patient's name)-relating to the communication; and • security risks for the protection of electronic PHI are that the telehealth platform will not have adequate security features to protect the electronic PHI, or a covered provider or patient will not activate those features if they are available. OCR officials and provider groups with whom we spoke indicate that some of the telehealth platforms used by providers may not meet the requirements of the HIPAA Rules. For example: • A 2020 survey of nearly 1,600 providers found that 34 percent of respondents used Zoom to provide telehealth services, about 29 percent used audio-only technology, over 28 percent were using Doxy.me, and about 18 percent were using Apple FaceTime, among 63According to OCR officials and researchers, some popular platform vendors-such as Apple FaceTime-are not willing to sign business associate agreements with covered providers. As a result, such platforms could not be used when the Telehealth Notification ends, unless the vendor agrees to sign a business associate agreement. 64OCR officials told us that it is unclear how often providers use telehealth platforms without entering into a business associate agreement. 65Remote communications generally involve electronic transmission unless they occur via a traditional landline. Page 32 GAO-22-104454 Medicare Telehealth other telehealth platforms. 66 (As mentioned earlier, OCR indicated that Apple will not enter into business associate agreements.) • Many (20 of 26) of the provider groups with whom we spoke said providers' use of telehealth platforms that may not meet HIPAA Rule requirements varied. 67 Some (five of 26) said investing in HIPAA- compliant telehealth platforms may be difficult for small practices, which, according to an American Medical Association survey, comprised just over half of physician practices in 2020. 68 In cases where a provider's use of a telehealth platform falls within the Telehealth Notification, only the vendor's privacy policy applies. The vendor's policy may not be HIPAA compliant and may be lengthy, complex, and difficult for some patients to understand. OCR's Telehealth Notification encourages covered providers to notify patients that third- party telehealth platforms potentially introduce privacy and security risks, and to enable all available encryption and privacy modes when using such platforms. However, the agency did not advise providers of specific language to use or give direction to (1) help them explain to patients the potential privacy and security risks of these telehealth platforms, and (2) ensure that patients understand potential uses of their PHI and the effects of this use. To help patients appropriately balance risks to privacy against important medical needs and to explain the steps patients can take to safeguard their privacy on their devices, a National Law Review article directed at providers noted that covered providers may want to consider developing talking points to help providers talk with their patients. 69 Specifically, the 66See COVID-19 Healthcare Coalition Telehealth Impact Study Work Group, Telehealth Impact: Physician Survey Analysis (McLean, Va.: MITRE Corporation, Nov. 16, 2020), accessed Sept. 2, 2021, https://telehealth-c19hcc-org-bzh6faksvq- uk.a.run.app/telehealth/physician-survey-analysis/. 67For example, one provider group said that a large proportion of their members were using consumer grade platforms to provide telehealth services, such as Zoom. Another provider group said that providers initially used Skype and FaceTime, while other provider groups said that members used HIPAA compliant platforms such as doxy.me. 68Specifically, the survey reported that about 54 percent of physicians worked in practices with 10 or fewer physicians. See Carol K. Kane, Policy Research Perspectives: Recent Changes in Physician Practice Arrangements: Private Practice Dropped to Less Than 50 Percent of Physicians in 2020 (Chicago, Il.: American Medical Association, 2021), accessed Nov. 15, 2021, https://www.ama-assn.org/about/research/physician-practice- benchmark-survey. 69Geetter, J. S., et al., "OCR Enforcement Waivers." Page 33 GAO-22-104454 Medicare Telehealth National Law Review authors argued that covered providers could consider advising patients to reset passwords, improve password strength, shorten the time that a device can be idle before the device locks, or how to remove images or videos (e.g. photos of a wound or a video of a cough) from their device. 70 HHS does not track the extent to which providers are notifying patients of the risks, and OCR officials noted that it would not be possible to track the extent to which providers notify patients in a reliable way. From March 2020 through December 2021, OCR received 43 complaints regarding privacy and security concerns with telehealth visits. For example: • Six complaints were related to the use of telehealth platforms that may not meet HIPAA requirements. Specifically, five patients and one employee of a covered provider alleged that providers were using telehealth platforms that did not meet the HIPAA requirements. These platforms potentially place the privacy and security of the complainants' PHI at risk and may affect the PHI of the providers' other patients as well. • There were 37 other complaints related to potential privacy violations. 71 • For example, 17 complaints alleged third parties were present during a telehealth visit-such as seeing an unknown individual walk behind the provider. • Thirteen complaints alleged the provider shared patients' PHI without permission during their telehealth visit. • Seven complaints alleged patients overheard or saw the PHI of another patient. If OCR provided additional information to providers, it could help ensure that patients understand potential privacy and security risks associated 70Geetter, J. S., et al., "OCR Enforcement Waivers." 71In addition, OCR received seven data breach complaints regarding telehealth, affecting 20 individuals. For additional information on data breaches, see GAO, Electronic Health Information: HHS Needs to Improve Communications for Breach Reporting, GAO-22-105425 (Washington, D.C.: May 27, 2022). Page 34 GAO-22-104454 Medicare Telehealth with telehealth technology. 72 With clear information, patients could better weigh the risks to their personal information and understand steps they can take to safeguard their PHI. Providing additional information to providers about the use of telehealth technologies would be consistent with the Health Information Technology for Economic and Clinical Health Act, which mandates increased education on health information privacy to covered providers and patients to increase understanding of potential uses and such effects on PHI. 73 Additionally, federal internal control standards specify the need to communicate with external partners, which would include providers and patients to (1) address risks-such as the privacy and security risks of telehealth technologies, and (2) achieve objectives, such as increasing understanding of potential effects on PHI from using telehealth technologies. 74 To the extent that providers use the additional information to educate their patients, Medicare beneficiaries may be able to better weigh the risks of and make more informed decisions on the use of telehealth technologies. Stakeholders Believe Telehealth Waivers Enabled Access but Noted Limitations; Most Support Extension 72CMS officials with whom we spoke stated that OCR was primarily responsible for provider education on privacy and security risks. CMS's website also directs visitors to OCR for education resources on privacy and security laws. See Centers for Medicare & Medicaid Services, Privacy and Security Information (Baltimore, Md.: Dec. 1, 2021), accessed Jan. 4, 2022, https://www.cms.gov/Regulations-and-Guidance/Administrative- Simplification/HIPAA-ACA/PrivacyandSecurityInformation. 73Pub. L. No. 111-5, § 13403(b), 123 Stat. 115, 263 (2009). Section 13403 refers to educating individuals about the potential uses and such effects of their PHI. 74GAO-14-704G, 62. Page 35 GAO-22-104454 Medicare Telehealth According to We interviewed 26 provider groups and three beneficiary advocacy Stakeholders, Waivers groups to gain their perspectives on Medicare telehealth services under waivers. 75 The majority of stakeholder groups with whom we spoke found Enabled Access; Most the waivers related to geographic location and site of service, including Support Permanent from home, to be the most helpful in enabling access to care during the Extension pandemic. 76 Two beneficiary groups told us that these waivers enabled beneficiaries to receive care from the convenience of their home, and accessing care in this setting helped reduce exposure risk during the pandemic. They noted that these waivers were helpful for beneficiaries with disabilities that present challenges to travel for an in-person visit. Some provider groups noted that easing restrictions on the location and site of service for telehealth services helped maintain continuity of care because it enabled providers to connect with beneficiaries, regardless of where either party was located. Many provider groups also noted that easing these restrictions made it less likely for barriers, such as travel time, weather, and lack of transportation, to stand in the way of accessing care. Some provider groups said the ability to receive care from any location and site of service reduced cancellations and missed appointments. The majority of provider groups supported making these waivers permanent, and all three beneficiary advocacy groups identified these waivers as key priorities for policymakers in considering any changes to Medicare telehealth. 77 75In this report we summarize perspectives across 29 stakeholder groups using the following descriptors-majority of or nearly all, most, many, some, and a few. For perspectives across all provider and beneficiary advocacy groups, we consider majority of or nearly all to be 26 to 28 groups, most to be 23 to 25 groups, many to be 15 to 22 groups, some to be six to 14 groups, and a few to be two to five groups. For perspectives across provider groups only, we consider majority of or nearly all to be 23 to 25 groups, most to be 21 to 22 groups, many to be 13 to 20 groups, some to be five to 12 groups, and a few to be two to four groups. 76Representatives from two provider groups said that their own practices tracked the location and site of service of a telehealth visit as part of the patient's electronic health record. 77InDecember 2020, Congress passed and the president signed legislation that removed geographic location restrictions and added a beneficiary's home as a permissible site of service for certain mental health services furnished via telehealth after the public health emergency ends. See Pub L. No. 116-260, div. CC, tit. I, subtit. B, § 123, 134 Stat. 1182, 2956 (amending 42 U.S.C. § 1395m(m)(7)). Page 36 GAO-22-104454 Medicare Telehealth Stakeholders Noted The majority of stakeholders also noted limitations of telehealth for certain Telehealth Limitations for types of services-such as orthopedic or ophthalmology services-that require examining a patient's physical condition. Many provider groups Services That Require said that telehealth cannot replace in-person care, particularly when a Physical Exams; physical exam or diagnostic testing is required-for example, when a Beneficiary Groups patient needs an electrocardiogram to measure heart functioning. A few Support Temporary provider groups noted it was a challenge getting the level of detail needed Extension of Waivers when examining patients via telehealth. One provider noted that inspecting surgical incisions over video is difficult and could lead to a misdiagnosis. This provider noted misdiagnoses can have long-term consequences if an infection develops at the incision site that requires an emergency room visit and several weeks of antibiotic usage. Alternatively, most stakeholder groups indicated that telehealth was appropriate for certain types of services that do not require a physical examination, such as office visits to discuss chronic care management, as well as services for mental and behavioral therapy, patient education, and follow-up care. One provider group noted that telehealth was useful for patient consultations to review patient images or scans prior to surgery and to discuss care plans following surgery. This provider group also noted that providers who are paid a bundled payment rate for a set of services can utilize the flexibility that telehealth offers by providing multiple follow-up visits via telehealth or in-person because these visits are part of the bundled rate. Many provider groups also noted that providers furnished acute care telehealth services for triaging patients to determine if in-person care was needed. Two beneficiary groups favor temporarily extending waivers to allow more time for policymakers to study telehealth services to evaluate their effects on access, spending, and quality of care before making them permanent. These groups noted concerns with the rapid rate in which services, such as audio-only visits, were added to the Medicare list of telehealth services without knowing how clinically appropriate they were as telehealth services beyond the pandemic. 78 One beneficiary group explained that further study is needed because some services may or may not be suitable for telehealth, and this could affect beneficiary care, particularly if beneficiaries are only able to access services via telehealth. However, a 78CMS used its regulatory authority to extend 64 services approved for telehealth through December 31, 2023 in order to allow additional time for further evaluation, and, as of January 5, 2022, CMS had permanently approved nine services for telehealth. Page 37 GAO-22-104454 Medicare Telehealth few provider groups, such as physical therapists, wanted more services added to the list. Stakeholders Indicated The majority of stakeholder groups indicated that beneficiaries and That Providers and providers relied on audio-only technology for telehealth visits due to limitations accessing video technology. 79 All three beneficiary groups Beneficiaries Relied on noted that beneficiaries tended to access telehealth using a phone. Some Audio-Only Technology to provider groups told us that audio-only visits were appropriate for certain Access Telehealth types of services, such as check-ins, chronic care management of patients, evaluating audible symptoms (e.g., a cough), as well as obtaining patient history, medication management, and discussing test results. Some provider groups noted that some patients were more comfortable seeking care, such as mental and behavioral health services, by phone. One provider group noted that audio-only visits enabled providers to more quickly establish contact with a patient, because patients found it easier to use a phone rather than video technology to communicate with a provider. Nearly all stakeholder groups indicated video telehealth visits had limitations because beneficiaries need certain resources and knowledge to access the visit. For example, they may need broadband internet and video technology. They may also need to know how to use the technology. Further, some provider groups indicated that audio-only technology provided a necessary backup when the technology needed for a video telehealth visit did not work, such as a slow connection or poor video quality. However, some stakeholders also noted limitations of audio-only telehealth visits. Compared to video or in-person visits, they noted that providers were limited in what they could accomplish during audio-only visits because of the inability to see the patient to assess their condition. One beneficiary group noted that a beneficiary with skin wounds, for example, may not be able to easily describe those wounds over the phone, and four provider groups noted they used audio-only visits only as a last resort to ensure the patient could access care. Further, all three beneficiary advocacy groups noted that telehealth may lead to inequities in access to care if beneficiaries, such as, those in low income or rural populations, can only access telehealth services via phone. Despite such 79As discussed earlier in this report, 19 of the 26 provider groups told us that audio-only visits were critical to ensuring beneficiary access to care and three provider groups we interviewed stated that audio-only visits represented the majority of telehealth visits for provider practices in their respective specialties. Page 38 GAO-22-104454 Medicare Telehealth limitations, many provider groups with whom we spoke supported making audio-only telehealth permanent, so those who do not have access to broadband, or do not have video technology, can still access care through telehealth. Stakeholders Indicated Many provider groups told us that the expansion of eligible providers Expansion of Eligible enabled them to deliver services via telehealth during the pandemic. 80 Providers Enabled Service Two provider groups with whom we spoke stated concerns with the providers furnishing telehealth services to new Medicare patients, noting Delivery; a Few Noted the importance of the established patient-provider relationship in Concerns when Providers maintaining continuity of care. One of these groups told us that providers Deliver Telehealth to New who do not have an established relationship with a patient have no history Patients of the patient and may never furnish follow-up care, which could have implications for quality of care beneficiaries receive. Some provider groups with whom we spoke also supported the waiver enabling providers to furnish telehealth services to patients across state lines without reporting their distant site location to Medicare. 81 However, one group representing rural providers said that while this waiver makes it easier for out-of-state providers to see patients, it may disrupt coordination of the patient's care at the local level if the out-of-state provider does not have access to the patient's medical records. In addition, one beneficiary group noted that some beneficiaries went without services for a period of time due to their confusion about which types of eligible providers offered telehealth. According to Stakeholders Some provider groups told us that equivalent payment for telehealth and Equivalent Payment for in-person services enabled providers to furnish services via telehealth during the pandemic and many provider groups with whom we spoke Telehealth Services supported equivalent payment for these services. Some groups told us Enabled Access; Some that equivalent telehealth payment sustained provider practice costs Described Different Costs during the post-waiver period when utilization of in-person services Related to Telehealth and declined. In-Person Visits However, four groups, including one group representing a cross-section of providers, stated that the costs of a telehealth visit, such as an audio- only visit, were different than those for an in-person visit. One of these 80See table 1 in this report for examples of provider expansions under telehealth waivers. 81During the public health emergency, providers may furnish telehealth services across state lines without reporting their distant site location to Medicare if they are licensed or otherwise authorized under applicable state law. Page 39 GAO-22-104454 Medicare Telehealth groups also noted that providers should be paid for their time spent providing patient care, but not necessarily for the practice expense costs. Given the equivalent payment between telehealth and in-person services during the pandemic, one provider group noted that providers who are paid for each service they furnish may have more incentive to furnish services via telehealth, in addition to in-person visits. However, providers who are paid a fixed payment regardless of the number of telehealth visits they provide have no incentive to provide telehealth services in addition to in-person visits. All three beneficiary groups noted concerns about options for accessing care if providers only offer beneficiaries the choice of telehealth rather than in-person care. Two of these groups further noted that replacing in-person care with telehealth could lead to poorer health outcomes. For example, one group noted that beneficiaries with hearing impairments or language barriers may not have an effective means of accessing care if in-person visits are not available. Further, all three beneficiary groups said beneficiaries were confused about how much they owed for a telehealth visit due to providers having the option to reduce or waive beneficiary copays for telehealth services during the pandemic. Two of these groups noted that providers varied in collecting beneficiary copays for these visits. Some provider groups with whom we spoke support charging beneficiaries a copay for telehealth visits. Two provider groups noted that copays were needed for practice revenue, and one provider group said that copays could help control any potential overutilization of telehealth services. In March 2020, HHS acted quickly in response to the COVID-19 Conclusions pandemic in order to enable Medicare beneficiaries' access to care via telehealth technologies. These actions facilitated a more than tenfold increase in the utilization and spending for telehealth services from April to December 2020, compared to the same period in 2019. As of September 2022, telehealth waivers will remain in place for 151 days after the end of the public health emergency. However, CMS has not yet addressed the risks of increased long-term spending from potential overuse and unknown quality of telehealth services. Without using a specific billing modifier to indicate the delivery of audio-only services and a code to indicate the site of service, and an assessment of the quality of telehealth services, CMS cannot fully track telehealth service delivery, monitor spending, or assess whether the quality of telehealth services is comparable to in-person services. HHS's OCR used its enforcement discretion to allow providers to use a broad range of non-public-facing remote communication technologies to Page 40 GAO-22-104454 Medicare Telehealth provide telehealth without the risk OCR might seek to impose a penalty for noncompliance with the HIPAA Rules during the public health emergency. Providers' subsequent use of such technologies potentially introduced additional privacy and security risks-such as patients' PHI being overheard, or disclosed without their permission or knowledge. Providing additional education, outreach, or other assistance to providers may help ensure that patients understand potential privacy and security risks of video telehealth platforms. This also may help patients make better informed decisions in accessing telehealth services. We are making three recommendations to CMS: Recommendations for Executive Action The Administrator of CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits. (Recommendation 1) The Administrator of CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. (Recommendation 2) The Administrator of CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency. Such an assessment could include leveraging evidence from related efforts led by other HHS agencies. (Recommendation 3) We are making one recommendation to OCR: OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4) We provided a draft of this report to HHS for review and comment. HHS Agency Comments provided written comments, which are reprinted in appendix IV. HHS also and Our Evaluation provided technical comments, which we incorporated as appropriate. HHS neither agreed nor disagreed with our three recommendations to CMS. HHS agreed with our recommendation to OCR. Regarding our first recommendation to develop a billing modifier or clarify guidance regarding billing of audio-only office visits, HHS stated that CMS has proposed a billing modifier. Specifically, in its proposed 2023 Page 41 GAO-22-104454 Medicare Telehealth physician fee schedule rule, CMS has proposed requiring providers to append a billing modifier to claims to indicate their use of audio-only technology, for services where use of such technology is permitted. 82 However, the proposed use of the billing modifier would not apply to the 10 office visit codes for services that are not eligible to be delivered via audio-only technology outside of the COVID-19 public health emergency. Without use of a modifier for these 10 existing office visit codes, CMS will continue to be unable to fully track utilization of audio-only telehealth services, as is the agency's stated goal. HHS neither agreed nor disagreed with our second recommendation to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. However, HHS noted steps CMS is taking to identify when Medicare telehealth services are delivered to beneficiaries in their homes. HHS noted that CMS's 2023 physician fee schedule proposed rule includes a proposal for providers to use available site of service codes for Medicare telehealth services performed on or after the 152nd day after the end of the public health emergency. 83 According to the agency, if finalized, these codes would indicate whether a Medicare service was provided via telehealth in a beneficiary's home or elsewhere. This proposal, if implemented, should address our recommendation. HHS neither agreed nor disagreed with our third recommendation to assess the quality of Medicare telehealth services during the public health emergency. However, HHS noted several efforts CMS has taken in that regard. For example, according to HHS, CMS has measured the effect of telehealth waivers on hospital readmissions and on beneficiaries' access to opioid treatments. HHS also noted that extending some services that are temporarily available via telehealth through the end of calendar year 2023 will allow providers time to compile evidence of clinical benefit- such as a reduced rate of complications-for these services when furnished via telehealth. Such evidence may support potential permanent addition of these services to the Medicare telehealth services list. While these are positive steps toward assessing the quality of telehealth services delivered to Medicare beneficiaries, they do not constitute a comprehensive assessment of telehealth quality. As we discussed in our report, CMS has not outlined how it intends to comprehensively assess 82See 87 Fed. Reg. 45,860, 45,900 (proposed July 29, 2022). 83See 87 Fed. Reg. 45,860, 45,899 (proposed July 29, 2022). Page 42 GAO-22-104454 Medicare Telehealth the quality of Medicare telehealth services-including audio-only services-during and after the public health emergency. Such an assessment could leverage other related quality efforts across HHS agencies. CMS's own risk assessment of the new telehealth waivers identified patient harm and quality as potential risks. We maintain that CMS needs to comprehensively assess the quality of Medicare telehealth services to inform decisions about telehealth in the Medicare program, and ensure Medicare services are appropriately delivered in the future. HHS concurred with our fourth recommendation for OCR to provide additional guidance to providers to help them explain the privacy and security risks to patients when using video telehealth platforms to provide telehealth services. The agency noted OCR recently issued two guidance documents relating to uses of audio-only telehealth consistent with the HIPAA Rules, as well as the privacy and security of health information when using a cell phone or tablet. 84 OCR issued guidance to covered providers and health plans about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules, including when OCR's Notification is no longer in effect. Additionally, OCR issued guidance for individuals that explains, in most cases, that the HIPAA Rules do not protect the privacy or security of individuals' health information when they access or store the information on personal cell phones or tablets. However, these telehealth guidance documents do not address video telehealth applications. Further, the guidance about cell phones and tablets provides general background about privacy and security issues and does not address key components of our recommendation. HHS notes that it plans to develop additional guidance for providers regarding telehealth and will include information to help providers explain privacy and security risks to individuals in plain language. Given policymakers' interest in extending telehealth waivers, we maintain the importance of 84See Department of Health and Human Services, Office for Civil Rights, "Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth" (Washington, D.C.: June 13, 2022), accessed Sept. 1, 2022, https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/hipaa-audio-telehealth/index.html. Department of Health and Human Services, Office for Civil Rights, "Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet" (Washington, D.C.: June 29, 2022), accessed Sept. 1, 2022, https://www.hhs.gov/hipaa/for- professionals/privacy/guidance/cell-phone-hipaa/index.html. Page 43 GAO-22-104454 Medicare Telehealth providing guidance to providers to help them educate patients on privacy and security risks when using video platforms for telehealth services. We are sending copies of this report to the appropriate congressional committees, and the Secretary of Health and Human Services. In addition, the report is available at no charge on the GAO website at https://www.gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-7114 or GordonLV@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix V. Leslie V. Gordon Acting Director, Health Care Page 44 GAO-22-104454 Medicare Telehealth List of Addressees The Honorable Patrick J. Leahy Chairman The Honorable Richard C. Shelby Vice Chairman Committee on Appropriations United States Senate The Honorable Ron Wyden Chairman The Honorable Mike Crapo Ranking Member Committee on Finance United States Senate The Honorable Patty Murray Chair The Honorable Richard Burr Ranking Member Committee on Health, Education, Labor, and Pensions United States Senate The Honorable Gary C. Peters Chairman The Honorable Rob Portman Ranking Member Committee on Homeland Security and Governmental Affairs United States Senate The Honorable Kyrsten Sinema Chair The Honorable James Lankford Ranking Member Subcommittee on Government Operations and Border Management Committee on Homeland Security and Governmental Affairs United States Senate Page 45 GAO-22-104454 Medicare Telehealth The Honorable Rosa L. DeLauro Chair The Honorable Kay Granger Ranking Member Committee on Appropriations House of Representatives The Honorable Frank Pallone, Jr. Chair The Honorable Cathy McMorris Rodgers Republican Leader Committee on Energy and Commerce House of Representatives The Honorable Bennie G. Thompson Chairman The Honorable John Katko Ranking Member Committee on Homeland Security House of Representatives The Honorable Carolyn B. Maloney Chairwoman The Honorable James Comer Ranking Member Committee on Oversight and Reform House of Representatives The Honorable Richard E. Neal Chair The Honorable Kevin Brady Republican Leader Committee on Ways and Means House of Representatives The Honorable Kim Schrier House of Representatives Page 46 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Appendix I: Objectives, Scope, and Methodology Methodology This report 1. describes the extent to which utilization of and spending for services approved for telehealth changed after the Department of Health and Human Services' (HHS) approval of telehealth waivers in March 2020; 2. examines the Centers for Medicare & Medicaid Services' (CMS) efforts to identify and monitor risks posed by Medicare telehealth waivers; 3. examines a change the Office for Civil Rights (OCR) made to its enforcement of regulations governing patients' protected health information (PHI); and 4. describes the perspectives of stakeholders on Medicare telehealth services under waivers, including the possibility of extending the waivers beyond the public health emergency. To describe how Medicare utilization of and spending for 309 services approved for telehealth changed after HHS approval of telehealth waivers, we used CMS Medicare Part B fee-for-service claims data for calendar years 2019 and 2020-the most recently available data for the entire year at the time of our study. To examine the full scope of services that Medicare covers and pays for when conducted via telehealth, we first identified 238 services on the Medicare Telehealth List-a list of services payable under the Medicare Physician Fee Schedule when furnished via telehealth. We used the April 30, 2020, version of this list because it was the most up to date list at the time of our analysis. The list was last updated on January 5, 2022 and includes 34 additional services compared to the version we used. 1 We also identified services approved for telehealth by interviewing officials from CMS, the Office of the Assistant Secretary for Planning and 1The latest version is available here: Centers for Medicare & Medicaid Services, List of Telehealth Services (Baltimore, Md.: June 17, 2022), accessed July 11, 2022, https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth- Codes. Page 47 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology Evaluation, and the American Medical Association. 2 We also reviewed Medicare billing guidelines and interviewed knowledgeable CMS officials to distinguish telehealth from in-person utilization in the CMS data and considered telehealth and other remote services billed with modifier 95 or site of service variable 02 as telehealth utilization. We analyzed aggregate utilization and spending for these services delivered in-person as well as via telehealth. We further analyzed utilization and spending by subsets, including • provider specialty, including individual specialties (such as internal medicine and cardiology); broad specialty categories (such as primary care, medical, and surgical); and other clinicians, such as nurse practitioners and physician assistants; 3 • provider location, including by rural and urban; 4 2Our analysis of CMS data and figures in this report includes telehealth services as well as other services such as virtual check-ins and e-visits that CMS collectively defines telemedicine. Virtual check-ins are short, patient-initiated communications with a health care practitioner through different technologies, including by phone or video. E-visits are non-face-to-face, patient-initiated communications through an online patient portal. Medicare covered and paid for virtual check-ins and e-visits prior to the pandemic. Our analysis also includes remote patient monitoring services. 3We categorized individual specialties into 10 broad groups, including three groups for physicians who provide primary care, medical, and surgical services, and one group for nurse practitioners and physician assistants. For example, the primary care group included the specialties of family practice and general practice; the medical group included the specialties of cardiology and nephrology; the surgical group included the specialties of general surgery and vascular surgery; and the other clinicians group includes nurse practitioners and physician assistants. The other clinicians' group also includes services provided by registered dieticians and certified clinical nurse specialists. We categorized nurse practitioners and physician assistants separately from primary care physicians because they have defined scope of practices that are variable between states and medical practices. A provider's scope of practice determines the range of services they are allowed to perform. 4To determine the location of claims in the outpatient and carrier files, we used the National Plan & Provider Enumeration System to identify a zip code for each National Provider Identifier. We then merged these zip codes with CMS's ZIPSTCO file to create a crosswalk that produced the provider's core-based statistical area. We then used the provider's core-based statistical area to determine if the services were conducted by a provider in a rural or urban area. Page 48 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology • broad service categories (such as all types of office visits combined, or all types of mental and behavioral health services combined); 5 • site of service, such as an eligible originating site; and • beneficiary characteristics, including age, sex, location, race, and ethnicity. We analyzed these data across two time periods: pre-waiver and post- waiver. We defined the pre-waiver period as April 1 through December 31, 2019 and the post-waiver period as April 1 through December 2020. 6 To determine the number of telehealth services provided in beneficiaries' homes, we first counted the number of times the billing code Q3014 was billed. The code is used to bill for a telehealth originating site facility fee when a beneficiary accesses telehealth services from a health care facility or clinic. If the beneficiary receives the telehealth service at home, there would be no facility to bill the code. To examine CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, we interviewed agency officials, and reviewed relevant materials. For example, we reviewed documents such as CMS's COVID telehealth program integrity risk assessment and actions taken to address these risks, CMS's guidance for providers and beneficiaries regarding telehealth, and relevant federal statutes and regulations. 7 We also reviewed selected research on telehealth risks, including our prior reports, and those from the Medicare Payment Advisory Commission, HHS Office of Inspector General, and academic researchers. In addition, between November 2020 and January 2022, we interviewed 26 provider groups, and three beneficiary advocacy groups-all of whom 5To group individual services into services types, we used Berenson-Eggers Type of Service codes, which assigns individual services to broader, readily understood clinical categories, such as office visits for established patients. 6We chose April because it was the first full month that waivers were in full effect after the first telehealth waivers in response to COVID-19 were issued on March 17, 2020. 7In its COVID telehealth program integrity risk assessment, which we refer to as the telehealth risk assessment for purposes of this report, CMS officials outlined risks posed by the telehealth waivers and actions taken to address these risks. CMS said that the telehealth risk assessment is updated as new waivers are issued or made permanent. We did not evaluate CMS's risk assessment approach. Page 49 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology have experience, knowledge, and interest in telehealth. 8 Specifically, we selected provider groups within six broad categories representing a mix of providers as defined by the services they deliver-primary care; mental and behavioral health; medical; surgical; other clinicians, including nurse practitioners; and therapy (physical and occupational therapists and speech language pathologists). 9 Within each broad provider group, we then identified individual provider specialties that in aggregate accounted for a majority of overall spending on in-person services in 2019-the most recent complete year of data available at the time of our selection. 10 We also interviewed umbrella groups who represent providers across specialties, such as rural providers. We selected beneficiary advocacy groups who represent the views of Medicare beneficiaries in accessing and utilizing telehealth services. For a list of stakeholder groups we interviewed, see table 2. Table 2: Stakeholder Groups Interviewed Provider groups • Primary care • Society of General Internal Medicine • American Academy of Family Physicians • Mental health/behavioral health • American Psychiatric Association • American Psychological Association 8We also interviewed one national association of private payers and two large private payers that represented the largest market share of private sector enrollees in 2019 to ensure we were obtaining perspectives on telehealth services from a broad set of stakeholders. We did not include this information in our report because private payers are not subject to the same statutory regulations that exist in Medicare fee-for-service. 9We categorized nurse practitioners and physician assistants separately from primary care physicians because they have defined scope of practices that are variable between states and medical practices. A provider's scope of practice determines the range of services they are allowed to perform. 10For example, the internal medicine and family practice specialties accounted for almost all of total spending for specialties we included under primary care. We interviewed provider groups who represent these individual provider specialties. Page 50 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology Provider groups • Medical • American College of Cardiology • American Thoracic Society • American Society of Nephrology • American Society of Clinical Oncology • American Urological Association • Infectious Diseases Society of America • American Academy of Ophthalmology • Surgical • American College of Surgeons • American Academy of Orthopaedic Surgeons • American Association of Neurological Surgeons • Society for Vascular Surgery • Society of Thoracic Surgeons • Other clinicians • American Association of Nurse Practitioners • Therapy • American Physical Therapy Association • American Occupational Therapy Association • American Speech-Language-Hearing Association • Umbrella • American Medical Association • American Hospital Association • Association of American Medical Colleges • American College of Physicians • National Rural Health Association • American Telemedicine Association • Beneficiary advocacy groups • Center for Medicare Advocacy • Medicare Rights Center • Consortium for Constituents with Disabilities Source: GAO interviews with stakeholder groups. | GAO-22-104454 Note: We also interviewed one national association of private payers and two large private payers to ensure we were obtaining perspectives on telehealth services from a broad set of stakeholders. We did not include this information in our report because private payers are not subject to the same statutory regulations that exist in Medicare fee-for-service. In this report we summarize 29 stakeholder perspectives on Medicare telehealth services under waivers across all 26 provider groups and three beneficiary advocacy groups using the following descriptors-majority of or nearly all, most, many, some, and a few. For perspectives across all provider and beneficiary advocacy groups, we consider majority of or Page 51 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology nearly all to be 26 to 28 groups, most to be 23 to 25 groups, many to be 15 to 22 groups, some to be six to 14 groups, and a few to be two to five groups. For perspectives across provider groups only, we consider majority of or nearly all to be 23 to 25 groups, most to be 21 to 22 groups, many to be 13 to 20 groups, some to be five to 12 groups, and a few to be two to four groups. We assessed CMS's efforts to identify and monitor risks against CMS's objectives to improve the agency's information about the appropriateness and effectiveness of services delivered via telehealth. For example, we assessed CMS's efforts to evaluate the quality of telehealth services against CMS's quality strategy. Specifically, we assessed CMS' objective to reduce disparities in health care, as well as support evidence-based care and clinical decision making overall. 11 To examine a change OCR made to its enforcement of regulations governing patients' PHI, we interviewed agency officials and reviewed relevant materials, including regulations and guidance to providers. We also reviewed selected research about risks to privacy and security. We assessed OCR's efforts to oversee the privacy and security risks for patients' PHI against the Standards for Internal Control in the Federal Government. 12 We also assessed OCR's efforts against the Health Information Technology for Economic and Clinical Health Act, which mandates increased education to providers and patients to increase understanding of potential uses of their PHI and the effects of such uses, including the use of PHI in telehealth technology. 13 We assessed the reliability of the CMS claims data used for this report by reviewing relevant documentation and interviewing knowledgeable 11Centers for Medicare & Medicaid Services, The CMS National Quality Strategy: A Person-Centered Approach to Improving Quality (Baltimore, Md.: June 6, 2022). 12See GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept. 10, 2014). Internal control is a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. We determined that the information and communication component of internal controls were significant to this objective, along with the underlying principle that management should communicate quality information with external parties to achieve its objectives and respond to risks. 13Pub. L. No. 111-5, § 13403(b), 123 Stat. 115, 263 (Feb. 17, 2009). Section 13403 refers to educating individuals about the potential uses of their PHI and the effects of such uses. In this report, we refer to individuals as patients. Page 52 GAO-22-104454 Medicare Telehealth Appendix I: Objectives, Scope, and Methodology officials from CMS and the American Medical Association. The data are used by the Medicare program as a record of payments to health care providers and are monitored by both CMS and the Medicare contractors that process, review, and pay claims. We also performed electronic data tests to check for missing data and consistency with other published data, such as the Assistant Secretary for Planning and Evaluation's Office of Health Policy's recent report on telehealth use during the pandemic. 14 We determined the data were reliable for analyzing telehealth utilization and spending trends. We identified weaknesses in these data, as discussed in this report. We conducted this performance audit from July 2020 to September 2022 in accordance with generally accepted government accounting standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 14L. W. Samson et al., Medicare Beneficiaries' Use of Telehealth in 2020: Trends by Beneficiary Characteristics and Location, HP-2021-27 (Washington, D.C.: Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation, Dec. 3, 2021). Page 53 GAO-22-104454 Medicare Telehealth Appendix II: Additional Information on Appendix II: Additional Information on Telehealth Utilization Telehealth Utilization Table 3 provides information on telehealth utilization, including by service type and select specialties, 2019 and 2020. Table 4 provides information on telehealth utilization, by categories of services, from April to December 2019 and 2020. Figure 6 shows the characteristics, such as age and sex, of beneficiaries accessing services via telehealth from April to December 2020. Table 3: Medicare Telehealth Utilization, by Service Type and Select Specialties, 2019 and 2020 Percent of specialty's Telehealth Utilization in Telehealth utilization in services that were Service type and select specialties 2020 (in thousands) 2019 (in thousands) telehealth in 2020 Medical 19,705 4,695 11 Cardiology 4,740 2,063 21 Cardiac electrophysiology 3,024 2,138 67 Neurology 1,352 39 18 Nephrology 1,132 9 9 Gastroenterology 1,059 3 17 Primary care 15,587 320 12 Internal medicine 8,561 226 11 Family practice 6,408 75 13 Mental and behavioral health 9,919 358 39 Licensed clinical social worker 3,645 45 48 Psychiatry 3,607 246 34 Clinical psychologist 2,539 65 38 Other clinicians 9,158 612 13 Nurse practitioner 6,868 531 14 Physician assistant 2,022 67 10 Physical therapy, occupational therapy, 1,605 8 2 speech language pathology Physical therapist 694 <1 1 Physical medicine and rehabilitation 602 7 8 Surgical 808 20 4 Orthopedic surgery 288 3 3 General surgery 181 3 3 Vascular surgery 67 2 5 Testing 642 398 75 Legend: <1 = Fewer than 1,000 services were delivered via telehealth. | GAO-22-104454 Source: GAO analysis of Centers for Medicare & Medicaid Services data. Page 54 GAO-22-104454 Medicare Telehealth Appendix II: Additional Information on Telehealth Utilization Table 4: Medicare Telehealth Utilization, by Categories of Services, April–December 2019 and 2020 Percent of service type's Telehealth utilization, Telehealth utilization, services that were April–December 2020 (in April–December 2019 (in delivered via telehealth, Service type (BETOS category)a thousands) thousands) April–December 2020 Evaluation and management Office/ outpatient services-established 22,032 366 16 office visits (EV11N) Office/ outpatient services-other (EV99N) 11,787 30 75 Behavioral health services-psychotherapy 6,691 82 58 (EB14N) Nursing facility services-other (EN99N) 2,389 19 11 Office/ outpatient services-new office visits 1,070 9 6 (EV10N) Care management/ coordination-other 886 126 92 (EM99N) Hospital inpatient services-other (EI99N) 725 267 1 Office/outpatient services-annual wellness 648 <1 9 visits (EV12N) Behavioral health services-other (EB99N) 558 26 20 Home services-other (EH99N) 305 <1 16 Care management/ coordination-transition 152 <1 18 care management (EM15N) Miscellaneous-other (EX99N) 73 23 22 Emergency department services-other 64 30 1 (ER99N) Critical care services-other (EC99N) 21 4 0 Ophthalmological services-ophthalmology 13 <1 0 visits (EE13N) Observation care services-other (EO99N) 8 <1 0 Tests Cardiography-other (TC99N) 4,465 3,425 99 Cardiography-external electrocardiographic 492 520 100 monitoring (TC82N) Neurologic-other (TN99N) <1 0 0 Miscellaneous-other (TX99N) <1 0 0 Treatments Physical, occupational, and speech 635 <1 2 therapy-physical therapy treatment (RT51N) Dialysis-other (RD99N) 179 1 7 Page 55 GAO-22-104454 Medicare Telehealth Appendix II: Additional Information on Telehealth Utilization Percent of service type's Telehealth utilization, Telehealth utilization, services that were April–December 2020 (in April–December 2019 (in delivered via telehealth, Service type (BETOS category)a thousands) thousands) April–December 2020 Physical, occupational, and speech 108 0 6 therapy-other (RT99N) Physical, occupational, and speech 23 <1 1 therapy-physical therapy evaluation (RT52N) Radiation oncology-other (RR99N) 7 0 1 Miscellaneous-other (RX99N) <1 0 0 Imaging Miscellaneous-other (IX99N) 2 2 100 Total (all BETOS categories) 53,512 4,929 15 Legend: <1 indicates that fewer than one thousand services were delivered via telehealth. Source: GAO analysis of Centers for Medicare & Medicaid Services data. | GAO-22-104454 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services temporarily waived or modified certain requirements, expanding the telehealth services in Medicare. Data are for 309 services that were approved for telehealth. a To group individual services into services types, we used Berenson-Eggers Type of Service (BETOS) codes, which assigned individual services to broader readily understood clinical categories, such as office visits for established patients. Page 56 GAO-22-104454 Medicare Telehealth Appendix II: Additional Information on Telehealth Utilization Figure 6: Use of Medicare Telehealth, by Beneficiary Characteristic, April–December 2020 Note: In response to the COVID-19 pandemic, the Centers for Medicare & Medicaid Services issued temporary waivers that expanded the availability of telehealth services in Medicare. Utilization data are for 309 services that may be provided via telehealth under the waivers. Page 57 GAO-22-104454 Medicare Telehealth Appendix III: Overview of Health Insurance Appendix III: Overview of Health Insurance Portability and Accountability Act of 1996 Portability and Accountability Act of 1996 Privacy, Security, Enforcement, and Breach Notification Rules Privacy, Security, Enforcement, and Breach Notification Rules Table 5: Overview of HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Rule Purpose Privacy Generally prohibits the use or disclosure of PHI, except where required or permitted as set out in the Privacy Rule, and establishes the rights of individuals with respect to their PHI.a Security Established standards intended to safeguard individual's electronic PHI that is created, received, maintained, or transmitted by a covered entity or business associate. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.b The safeguards are either required or addressable. They include security incident procedures such as response and reporting and access controls such as encryption.c Enforcement Established OCR's processes to ensure that covered entities and business associates comply with the HIPAA Rules, primarily by investigating HIPAA complaints and breach reports filed with OCR.d OCR also conducts compliance reviews and audits, and it provides education and outreach to support compliance with the HIPAA Rules. Breach Notification Requires covered entities, upon discovery of a breach of unsecured PHI, to provide notification to affected individuals, and for certain large breaches, the media, within 60 days. They must also notify the Secretary of HHS of large breaches (affecting 500 or more individuals) within 60 days, and report smaller breaches no later than 60 days after the end of each calendar year; business associates must report breaches to the covered entity e Source: GAO analysis of Department of Health and Human Services (HHS) Office for Civil Rights (OCR) information. | GAO-22-104454 Notes: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules refer to the Privacy, Security, Enforcement, and Breach Notification Rules-the regulations that implement HIPAA and set out requirements governing covered entities and business associates' disclosure, use, maintenance, and transmission of protected health information (PHI). Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (Aug. 21, 1996) as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, tit. XIII, 123 Stat. 115, 226 (Feb. 17, 2009). PHI is individually identifiable health information and includes information that (1) is created or received by a covered entity; (2) relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The definition exempts a small number of categories of individually identifiable health information, such as information found in employment records held by a covered entity in its role as an employer. HIPAA-covered entities include health plans, health care providers who conduct certain transactions electronically, and health care clearinghouses. Business associates are third parties that (1) create, receive, maintain, or transmit PHI on behalf of a covered entity for a covered function; or (2) provide certain services to or for a covered entity that involve the disclosure of PHI. 45 C.F.R. § 160.103. a For example, covered entities generally may not use or disclose PHI without patient authorization except as specifically permitted in the Rule-such as for treatment, payment, or health care operations or for public health purposes. These provisions specify other conditions which must be satisfied before the PHI can be disclosed. Covered entities may also disclose PHI to a business associate if they first enter into a written business associate agreement that provides assurances that PHI will be appropriately safeguarded. If covered entities fail to enter into such an agreement with a business associate, they are in violation of the HIPAA Privacy and Security Rules. 45 C.F.R. §§ 164.314, 164.502, 164.508, 164.512 (2021). b 45 C.F.R. Part 164, Subpart C. c 45 C.F.R. §§ 164.306, 308(a)(6), 312(a)(2)(iv) (2021). 45 C.F.R. Part 160, Subpart C (Compliance and Investigations) and Subpart D (Imposition of Civil d Money Penalties). See Department of Health and Human Services Office for Civil Rights, Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2020 (Washington, D.C.: 2020). Page 58 GAO-22-104454 Medicare Telehealth Appendix III: Overview of Health Insurance Portability and Accountability Act of 1996 Privacy, Security, Enforcement, and Breach Notification Rules If OCR accepts a complaint for investigation, it reviews the evidence it gathers in each case. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action, or a resolution agreement. If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil monetary penalties on the covered entity. e 45 C.F.R. Part 164, Subpart D. For additional information, see GAO, Electronic Health Information: HHS Needs to Improve Communications for Breach Reporting, GAO-22-105425 (Washington, D.C.: May 27, 2022). Page 59 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Appendix IV: Comments from the Department of Health and Human Services Department of Health and Human Services Page 60 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 61 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 62 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 63 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 64 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 65 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 66 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 67 GAO-22-104454 Medicare Telehealth Appendix IV: Comments from the Department of Health and Human Services Page 68 GAO-22-104454 Medicare Telehealth Appendix V: GAO Contact and Staff Appendix V: GAO Contact and Staff Acknowledgments Acknowledgments Leslie V. Gordon, (202) 512-7114 or GordonLV@gao.gov GAO Contact In addition to the contact named above, Iola D'Souza (Assistant Director), Staff Maggie Holihan (Analyst-in-Charge), Robert Dougherty, Dan Lee, and Acknowledgments Dawn Nelson made key contributions to this report. Also contributing were Manuel Buentello, Marisol Cruz Cain, Nancy Fasciano, Jennifer R. Franks, Sandra George, Madison Herin, Xiaoyi Huang, Nicole Jarvis, Monica Perez-Nelson, Ethiene Salgado-Rodriguez, Jennifer Rudisill, Caitlin Scoville, and Cathy Hamann Whitmore. (104454) Page 69 GAO-22-104454 Medicare Telehealth The Government Accountability Office, the audit, evaluation, and investigative GAO's Mission arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is Obtaining Copies of through our website. Each weekday afternoon, GAO posts on its website newly GAO Reports and released reports, testimony, and correspondence. You can also subscribe to GAO's email updates to receive notification of newly posted products. Testimony Order by Phone The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, https://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts. Visit GAO on the web at https://www.gao.gov. Contact FraudNet: To Report Fraud, Website: https://www.gao.gov/about/what-gao-does/fraudnet Waste, and Abuse in Automated answering system: (800) 424-5454 or (202) 512-7700 Federal Programs A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Congressional Government Accountability Office, 441 G Street NW, Room 7125, Washington, Relations DC 20548 Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Stephen J. Sanford, Managing Director, spel@gao.gov, (202) 512-4707 Strategic Planning and U.S. Government Accountability Office, 441 G Street NW, Room 7814, External Liaison Washington, DC 20548 Please Print on Recycled Paper.