Skip to site content

Telehealth, Consent, and HIPAA


Please listen to our podcast on COVID-19, telehealth, and our response.  



This article offers an overview of getting started with telemedicine, some of the billing and reimbursement considerations, and some general thoughts on telemedicine for those new to the discipline:

 The Transition to Telemedicine

Our introductory course on telemedicine is free for policyholders and staff.  Click here to take it:  

Intro to Telemedicine

Please download our summary of coding and reimbursement during the COVID-19 pandemic:

COVID-19 Coding/Reimbursement Summary

 For a comprehensive summary of the changes to telemedicine, including billing changes, applicable during the COVID-19 public health emergency, please download the following bulletin:

COVID-19 Telemedicine Bulletin

The Center for Connected Health Policy* includes all state's telehealth policies related to COVID-19 (scroll to see the individual states), along with links to many state Medicaid programs and the Federation of State Medical Boards. 

( *Connected referring to telehealth and other electronic communication)

Q:  Can you help me with security considerations when choosing a telemedicine platform?

A:  With the increased use of teleconferencing, there has been a rash of “Zoom Bombing” and other teleconferencing platform hijacking where perpetrators will access the meeting and take over.  It is best to use a platform that is encrypted and is HIPAA compliant, however, the OCR understands that with the current COVID-19 situation the possible need to use non-compliant platforms exists.  Regardless of what you use, when choosing and setting up your platform, be sure to review the privacy and security settings.  Additionally, the FBI recommends doing due diligence and following these hijacker threat mitigation measures:

  • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private:
                Require a meeting password or Use the waiting room feature and control the admittance of guests
  • Provide the link directly to specific people
  • Change screensharing to “Host Only”
  • Ensure users are using the updated version of remote access/meeting applications
  • Ensure that your organization’s telework policy or guide addresses requirements for physical and information security
Q:  What type of technology do I need to perform telemedicine services?

A:  The new waiver in Section 1135(b) of the Social Security Act explicitly allows the Secretary to authorize use of telephones that have audio and video capabilities for the furnishing of Medicare telehealth services during the COVID-19 PHE. In addition, effective immediately, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency. The OCR has also indicated platforms such as Facebook Live, Twitch, TikTok, and similar video services are considered public facing and should NOT be used for telehealth services.

Q:  Does it matter where the patient is located?

A:  Most states require the physician to be licensed in the state where the patient is located at the time of service. If you are near a border state, you should check that states guidelines if you are treating patients via telemedicine.

Here is the General Provider Telehealth Toolkit from CMS.

March 31, 2020 Medicare Ruling.  Reacting to the many questions and concerns from providers about telemedicine payments, the Centers for Medicare & Medicaid Services (CMS) released Medicare IFC: Revisions in Response to the COVID-19 Public Health Emergency (CMS-1744-IFC) (PDF) (retroactively dated to March 1). The new ruling addresses many issues; however, we will spotlight several that are relevant to the ambulatory environment, noting the page numbers of the ruling for quick reference. This ruling indicates a significant change in coding and reimbursement of digital health services. This ruling appears to address a multitude of outstanding issues:

  1. In the rule, CMS addresses the issue of paying telemedicine visits at the facility rate. This rate is lower than the professional rate as it assumes that a SEPARATE payment is being made to the facility to cover the expenses of the facility and staff. CMS is instructing physicians and practitioners who bill for Medicare telehealth services to report the POS code that would have been reported had the service been furnished in person. Therefore, CMS will pay at the professional (higher) rate for telemedicine visits if the service is billed using the Place of Service (POS) 11 - Physicians' Office or 19/22 if you're organized as a Hospital Outpatient Clinic (whichever one you'd normally use if the services were provided in-person; the latter pays at the facility rate today). CMS is requesting that you append the -95 modifier to indicate that it was a service performed via telemedicine.  Do NOT use POS -02 as it will be paid at the lower, facility rate.   We encourage you to carefully read pages 14 and 15 from the Federal Register.
  2. A lengthy list of newly added telemedicine services (starts on page 19). 
  3. Confirmation that telemedicine requires an audio AND video platform (pages 48-49). In the case that two-way, audio and video technology required to furnish a Medicare telehealth service might not be available, CMS will pay for Telephone-only visits (pages 122-125); for phone-only visits, use CPT codes 99441-99443; 98966- 98968. (Note that eVisits, Virtual Visits and Remote Monitoring may also be options; see descriptions of those codes -- they are NOT considered telemedicine services.)
  4. To enhance beneficiary protection, for both new and established patients, we suggest that the physician or other health care practitioner review consent information with a beneficiary, obtain the beneficiary’s verbal consent, and document in the medical record that consent was obtained.  Consent can be documented by "auxiliary staff," and can be obtained at the time of service (page 52; pages 121-122).
  5. G0071 reimbursement for FQHCs and RHCs rises; includes new patients (pages 86-87).
  6. New rules about Teaching Physicians Services (starting on page 101).
  7. E/M levels can be based on TIME for telemedicine (pages 136-137).

This is not meant to be a replacement for your internal HIM/coding/billing/compliance experts, but rather to allow you to read the ruling first hand to help interpret the guidance for your organization.


Consent and Disclaimer

Q: Do I need a special consent form for treating patients during the COVID-19 pandemic?

A: No. Patients do not need to consent to the risk of COVID-19 for routine medical care. However, we recommend a patient-centered approach to informing the patient about the risk of transmission of COVID-19. This may include a variety of methods: notices on the practice website, appointment reminders, on office entrance doors, in the reception area, etc. advising the patient about the risk of infection, the importance of limiting persons in the medical office and any changes in office procedures/protocols the patient should expect during the visit. If possible, provide information in advance. This may include changes to patient flow, triage, treatment and design. Clear signage with pictures recommending patients call before entering if they have symptoms of any respiratory infection (e.g., cough, fever, sore throat, shortness of breath, etc).
Signage in appropriate languages instructing patients to alert staff about respiratory symptoms and correct hygiene and cough etiquette. Additionally, provide educational material about risks, CDC guidance and when to seek medical attention for COVID-19 symptoms should they occur after the visit.
For a specific procedure or treatment that would require informed consent before proceeding, it is recommended that risk of COVID-19 be covered during the informed consent process. It is important that the patient understand and acknowledge the risk of COVID-19 infection, and make an informed decision to proceed with the treatment or refuse/defer treatment. Some specialty organizations may offer specific COVID-19 related consent forms. We encourage you to thoroughly review any recommended form and avoid inclusion of “assumption of liability” or “waiver of liability” statements if the patient contracts COVID-19. See waiver FAQ below.

Q: Should I have a waiver of liability form for treating patients during the COVID-19 pandemic?

A: No. Waivers of liability or statements by patients acknowledging assumption of risk are largely ineffective and often unenforceable. You may be familiar with liability waivers, such as those signed in contractual situations (recreational activities, opening a gym membership, cooking classes, etc). A waiver is simply a voluntary relinquishment or abandonment of a legal right. A liability waiver in the COVID-19 context is a written contract where the patient acknowledges the risks of accepting the services of a physician or other provider and agrees to waive liability for any adverse results. Most courts consider this type of waiver to be against public policy as it involves a matter of interest to the public. Healthcare providers are required to meet the standard of care and the courts frown upon efforts by them to contractually avoid liability. 
Your best defense may be a detailed informed consent discussion of risks, an opportunity for the patient to ask questions, decide to proceed with the treatment and signature of the patient. This can effectively act as a limited waiver if one of the disclosed risks of the care or procedure results in injury or harm.
Likewise, statements assuring patients that your office is following protocols or guidelines are unnecessary.
Avoid statements such as:

  • “I, (patient), indemnify and hold harmless (physician, group, etc.)”,
  • “I acknowledge (name of physician, practice, facility) has taken all reasonable efforts to prevent the transmission of COVID-19”
  • “CDC guidelines have been strictly followed”
  • “This office strives to provide the best possible care to patients during this time despite often limited resources and a lack of well-defined guidelines.”
Q: Can I be sued if a patient contracts COVID-19 after receiving care?

A: Yes, a patient will not be prevented from filing a lawsuit as long as the legal procedural requirements are met in the jurisdiction. However, a claim alleging COVID-19 infection from a physician or other provider’s negligence, like all claims, would have to be viewed in the context of the care that was provided. If reasonable precautions to prevent contamination were taken, the claim would be difficult to support.

Q: Should I follow a pre-screening protocol to assess patients for COVID-19?

A: Follow CDC and local health department guidelines that may require you to screen for COVID-19 symptoms, other high risk conditions for COVID-19, or contact with a person infected with COVID-19. Inform patients why additional questions are necessary by using phrasing similar to the following:
“Health authorities suspect the COVID-19 virus is contagious and can cause severe respiratory infections that spread mainly from person-to-person through close contact. For example, in a household, workplace or healthcare center. The virus is spread through coughing and sneezing, similar to how influenza and other respiratory pathogens are spread. For your safety as well as the safety of our own team members and other patients, we will be gathering additional information to better assess your risk of becoming infected by COVID-19 during your visit.”



Q:  Can your Business Associates disclose patient information in the interest of public health and do they have to notify us if they do?

A:  Previously, Business Associates (BAs) could only release patient information under the direction of the Covered Entity.  On April, 2, 2020, the OCR provided notice, they are relaxing those requirements on BAs so they can release pertinent COVID-19 related information in the interest of public health. The notice specifically states:
OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
  • the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Q:  Is it acceptable to share PHI about a COVID-19 positive, or potentially positive, patient with first responders?

A:  The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization under certain circumstances.  This link provides the document that specifies when it is acceptable to disclose PHI to first responders. 

Q:  Are the HIPAA requirements waived during an emergency?

A: HIPAA Privacy and Security rules are still in effect, and for the most part have not been waived or relaxed.
In regards to telehealth (telemedicine), the Office for Civil Rights (OCR) has recently provided notice stating they will waive penalties for any potential HIPAA violations by healthcare providers who use everyday communications technologies such as FaceTime, Skype, Facebook Messenger video chat, Google Hangouts video chat, and similar private-facing platforms during the Coronavirus crisis for telehealth services. The OCR has also indicated platforms such as Facebook Live, Twitch, TikTok, and similar video services are considered public-facing and should NOT be used for telehealth services.
These relaxations for telehealth (telemedicine) are only for the remote treatment of patients through one-on-one communication technologies. Staff should continue following all Privacy and Security policies and procedures for protecting the privacy, security, and integrity of patient information, whether from the office or from home. Please see the FAQ on employees working from home for additional information on protecting patient information for those working from home.
HHS has a decision tool to walk you through the process of determining when, what, and how PHI may be disclosed in a Public Health Emergency.  These appropriate disclosures would be:

  • Treatment- information may be shared amongst the patient’s treating providers and those to which the patient is being referred for treatment.
  • Public Health Activities- information may be shared with public health authorities, such as the local health department, CDC, and those authorized by law to collect or receive such information to prevent or control disease or injury.
  • Family, Friends, and Others Involved in the Patient’s Care- limited information may be disclosed to certain friends, family members, or other individuals that are involved in the care of that person. Practices should still get verbal permission from the patient unless it can be inferred the patient wouldn’t object, or, using professional judgment, the provider determines it is in the patient’s best interest.
  • To Prevent a Serious and Imminent Threat- relevant information may be shared with anyone necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public. This will be based on the professional judgement of the provider in making determinations to the nature and severity of the threat.
  • To First Responders at Risk for Infection- relevant information may be shared with First Responders so they may take additional steps to protect themselves or wear personal protective equipment.

In light of the COVID-19 pandemic, the Substance Abuse and Mental Health Services Administration (SAMHSA) has provided guidance stating, as determined by the provider, a medical emergency exists, healthcare providers may use their own judgement when disclosing substance use disorder records to other providers for treatment purposes when a medical emergency exists. This is typically a disclosure that is not permitted without written patient consent, but SAMHSA has relaxed this requirement during the current crisis. SAMHSA emphasizes that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.
These current relaxations, while they do not have an expiration date, are not permanent and will more than likely revert to previous guidance once the current State of Emergency passes.

Q: What should we tell patients about HIPAA and COVID-19 testing?

A: Patients should be aware that there is mandatory reporting of COVID-19 to the Department of Health, but that is still confidential.  The health department takes over once reported, but the physician offices still have to maintain confidentiality.

Q:  What do I need to consider if I have employees working from home?

A:   From a HIPAA standpoint, employees should treat patient information with the same privacy and security as they would in the office.  The current relaxation of Security guidelines only relates to Telehealth.  Practices must include employees working remotely to their Security Risk Analysis in order to remain compliant. Additionally:

  • Employees should have Confidentiality Agreements already in place, whether they are working in the office or at home.
  • Specific policies and procedures should be in place for employees that work from home.
  • Limit employee access to only the information necessary to do their job.
  • Encrypt home wireless routers and change default passwords on their wireless routers to something more challenging.
  • Utilize a Virtual Private Network (VPN) if staff must log into a server.
  • Require work to be completed in an area of the home wher eonly the employee can access and see patient information.
  • Instruct employees not to make copies, print, or save patient information on private devices.
  • If hard copies of patient information must be printed or kept, it should remain in a secure location with only employee access or destroyed in a proper way such as confetti shredding.
  • Avoid emailing patient information unless using encrypted email.
  • Protect login information in a secure location and do not leave it out for anyone to see.

Ready to get started?

Our team is here to answer any questions you might have or to help you fill out a quote application.

need help?

We're always just an email or phone call away.

contact us