In response to the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily waived certain Medicare restrictions on telehealth—the delivery of some services via audio-only or video technology. Use of telehealth services increased from about 5 million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020). Total utilization of all Medicare services declined by about 14 percent post-waiver due to a 25 percent drop in in-person service use. GAO also found that, post-waiver, telehealth services increased across all provider specialties, and 5 percent of providers delivered over 40 percent of services. Urban providers delivered a greater percentage of their services via telehealth compared to rural providers; office visits and psychotherapy were the most common services.
Telehealth and In-Person Utilization, by Month, April 2019–December 2020
The Centers for Medicare & Medicaid Services (CMS) within HHS took actions to monitor some program integrity risks related to the telehealth waivers. However, CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in beneficiaries’ homes. This is because there is no billing mechanism for providers to identify all instances of audio-only visits. Moreover, providers are not required to use available codes to identify visits furnished in beneficiaries’ homes. Complete data are important, as the quality of these services may not be equivalent to that of in-person services. Also, CMS has not comprehensively assessed the quality of telehealth services delivered under the waivers and has no plans to do so, which is inconsistent with CMS’ quality strategy. Without an assessment of the quality of telehealth services, CMS may not be able to fully ensure that services lead to improved health outcomes.
In March 2020, HHS’s Office for Civil Rights (OCR) announced that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the COVID-19 public health emergency. OCR encouraged covered providers to notify patients of potential privacy and security risks. However, it did not advise providers of specific language to use or give direction to help them explain these risks to their patients. Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology.
Why GAO Did This Study
By law, Medicare pays for telehealth services under limited circumstances—such as only in certain (mostly rural) geographic locations. The waivers and other flexibilities that HHS issued in March 2020 (including under its own regulatory authority) have allowed services to be safely delivered and received during the pandemic. There is stakeholder interest in making these changes permanent. GAO and others have noted that extending them may increase spending and pose new risks of fraud, waste, and abuse.
GAO was asked to review telehealth services under the waivers. This report describes, among other issues, (1) the utilization of telehealth services, (2) CMS efforts to identify and monitor risks posed by Medicare telehealth waivers, and (3) a change OCR made to its enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency.
GAO analyzed Medicare claims data from 2019 through 2020 (the most recently available data at the time); reviewed federal statutes, CMS documents (including its assessment of risks posed by telehealth waivers), and OCR guidance; and interviewed agency officials.