GAO, Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks
GAO-22-104454,
Published:
To help patients access care during the pandemic, Medicare temporarily waived restrictions on telehealth — health care services delivered via phone or video. The use of telehealth services rose tenfold: 53 million telehealth visits in Apr.-Dec. 2020 vs. 5 million during the same period in 2019.
But Medicare hasn't comprehensively assessed the quality of care patients received, and lacks data on telehealth services delivered in patients' homes or via phone. Patients may also be unaware that their private health information could be overheard or inappropriately disclosed during their video appointment.
Our recommendations address these issues.
What GAO Found
In response to the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily waived certain Medicare restrictions on telehealth—the delivery of some services via audio-only or video technology. Use of telehealth services increased from about 5 million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020). Total utilization of all Medicare services declined by about 14 percent post-waiver due to a 25 percent drop in in-person service use. GAO also found that, post-waiver, telehealth services increased across all provider specialties, and 5 percent of providers delivered over 40 percent of services. Urban providers delivered a greater percentage of their services via telehealth compared to rural providers; office visits and psychotherapy were the most common services.
Telehealth and In-Person Utilization, by Month, April 2019 – December 2020
The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to monitor some program integrity risks related to the telehealth waivers. However, CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in beneficiaries' homes. This is because there is no billing mechanism for providers to identify all instances of audio-only visits. Moreover, providers are not required to use available codes to identify visits furnished in beneficiaries' homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not comprehensively assessed the quality of telehealth services delivered under the waivers and has no plans to do so, which is inconsistent with CMS' quality strategy. Without an assessment of the quality of telehealth services, CMS may not be able to fully ensure that services lead to improved health outcomes.
In March 2020, HHS's Office for Civil Rights (OCR) announced that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the COVID-19 public health emergency. OCR encouraged covered providers to notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these risks to their patients. Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology.
Why GAO Did This Study
By law, Medicare pays for telehealth services under limited circumstances—such as only in certain (mostly rural) geographic locations. The waivers and other flexibilities that HHS issued in March 2020 (including under its own regulatory authority) have allowed services to be safely delivered and received during the pandemic. There is stakeholder interest in making these changes permanent. GAO and others have noted that extending them may increase spending and pose new risks of fraud, waste, and abuse.
GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients' protected health information during the COVID-19 public health emergency.
GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); reviewed federal statutes, CMS documents (including its assessment of risks posed by telehealth waivers), and OCR guidance; and interviewed agency officials.
Recommendations
GAO is making three recommendations for CMS to strengthen its telehealth oversight, and one for OCR to provide additional direction to providers to explain privacy and security risks to patients. HHS neither agreed nor disagreed with the three CMS recommendations and concurred with the OCR recommendation.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Centers for Medicare & Medicaid Services | The Administrator of CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Centers for Medicare & Medicaid Services | The Administrator of CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Centers for Medicare & Medicaid Services | The Administrator of CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency. Such an assessment could include leveraging evidence from related efforts led by other HHS agencies. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Office for Civil Rights for the Department of Education | OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Full Report