Telehealth 2025: The Final Rule

CMS is set to reinstate certain pre-pandemic telehealth policies if Congress doesn’t step in ASAP.

CMS issued the calendar year (CY) 2025 Medicare Physician Fee Schedule (MPFS) final rule on Nov. 1, 2024, publishing guidance that will have providers and coders scrambling to figure out how to handle their Telehealth patients in 2025, unless something is “fixed” or addressed immediately by Congress.

Absent Congressional action, the Final Rule for telehealth services effective Jan. 1, 2025, could leave 85% or more Medicare patients without access to virtual care.

I’ll start with the highlights of telehealth policy changes based in the 2025 MPFS final rule.

Telemedicine Flexibilities

Originating site location telehealth flexibilities that began during the COVID-19 public health emergency and were extended through 2024 by Congress, will end, as required by current law. Starting Jan. 1, 2025, telehealth originating site rules (where the patient is located at the time of service) will limit patient location to certain rural and underserved areas. Several Bills under consideration in Congress would extend or make telehealth flexibilities permanent but those Bills are pending and have not gotten past the Senate or House for approval as of yet.

  • Starting Jan. 1, 2025, two-way, real-time audio-only communication will satisfy the requirement for an interactive telecommunications system under specific circumstances when a patient cannot use or does not consent to using video technology. However, the distant site practitioner must still have audio-video capabilities. (Again, if the geographical site regulation is not changed from the pre-PHE rules by Congress, this is a moot point).
    • Again, pre-pandemic geographic and location restrictions for telehealth (before March 1, 2020) are being reinstated. This means that unless a Medicare patient lives or is located in a health professional shortage area, a rural census track, or a county outside of the metropolitan statistical area, at the time of service, they will not be covered for telehealth services in 2025.
  • Through calendar year 2025, CMS will continue to permit a distant site practitioner to use their currently enrolled practice location instead of their home address when providing telehealth services from their home. They will consider this issue further for future rulemaking.
  • CMS acknowledges the CPT® Editorial Panel’s decision to delete audio-only telephone services CPT® codes 99441-99443 for 2025. However, Medicare will not recognize 16 of the 17 telehealth CPT® codes (98000-98016) added for 2025; CPT® codes 98000-98015 will have an “I” Invalid status.
  • Medicare will pay separately for brief virtual check-in encounter CPT® code 98016 in lieu of HCPCS Level II code G2012, which CMS is deleting due to redundancy.
  • Direct supervision through real-time audio and visual interactive telecommunications (not audio only) will continue to be allowed on qualifying services.
  • Certain behavioral and mental health services will be permanently offered under telehealth for Medicare patients beginning Jan. 1, 2025. A link to CMS’s List of Telehealth Services is in the Resources section, which you should reference (once the list is updated on January 1st). (See the CAA – Consolidation Appropriations Act of 2021, Section 123 which outlines the BH permanent benefits under Medicare for 2025).
  • Place of service (POS) codes will continue to have two telehealth designations:
  • 02 Patient not in their home when telehealth services are rendered; or
  • 10 Patient in their home when telehealth services are rendered. POS 10 will continue to be paid at the non-facility rate.
  • CMS will continue to allow physicians to list their practice address, rather than their home address, when performing Medicare services via telehealth from their home.
  • Teaching physicians may continue to have a virtual presence in all teaching settings, but only for Medicare telehealth services. This was only extended 1-year through Dec. 31, 2025.
  • Both patient and any approved Telehealth provider must be in the U.S. (including U.S. territories) when the services are done. Out of country medical services are not covered by Medicare via telehealth or otherwise.

Authoritative references are provided in the resources section to allow you to source the information yourself.

Congress Could Change Everything

We still have until the end of 2024 for Congress to fix the geographical location issue for telehealth. But time is of the essence, or more than 85 percent of Medicare patients’ telehealth encounters occurring after Jan. 1, 2025, could be invalid for payment.

NAMAS urges you to contact your local representative to draw attention to this matter.

References and Resources

As first published on AAPC.com and NAMAS.co
This is a revision by the same author, Terry Fletcher, to this original article.

Complexity Add-on Code G2211

Effective January 1, 2024, complexity add-on code G2211 may be submitted with Evaluation and Management (E/M) office or outpatient (O/O) visits, 99202-99215.

G2211 includes services enabling practitioners to build longitudinal relationships with all patients (not only those patients who have a chronic condition or single, high-risk disease) and to address most patients’ health care needs with consistency and continuity over longer periods of time.

Documentation would support furnishing services to patients on an ongoing basis that results in care personalized to the patient. The services result in a comprehensive, longitudinal, and continuous relationship with the patient and involve the delivery of team-based care that is accessible, coordinated with other practitioners and providers, and integrated with the broader healthcare landscape.

The complexity add-on code would support a long-term patient-provider relationship and would indicate the provider will be managing the patient’s health care over a long period. The provider would build a trusting patient-doctor relationship and be the continuing focal point for all needed health care services related to the ongoing patient’s single, serious condition or complex condition. Every patient would be unique with their health care needs and templated language for the add-on code may not support medical necessity. This is an important caveat as many EMRs have templated drop-down screens that consistently are used for “cut and paste” repeated information visit-to-visit and this is frowned upon to bill the G2211.

The code does not limit the type of provider based on specialties.

Code descriptor

+G2211: Visit complexity inherent to evaluation and management associated with medical care services that serve as the continuing focal point for all needed health care services and/or with medical care services that are part of ongoing care related to a patient’s single, serious condition, or a complex condition. (add-on code, list separately in addition to office or outpatient E/M visit, new or established)

E/M with Modifier -25

Separately identifiable E/M visits billed with modifier -25 occurring on the same day as a minor procedure, have resources sufficiently distinct from the costs associated with that reimbursement. CMS will not allow payment for the add-on code G2211 when the E/M service is billed with modifier 25.

*There is a 2025 PFS proposed update that would allow G2211 with modifier 25 when an E/M service is done on the day of an annual wellness visit, immunization or other CMS-covered preventive service. This is a proposal, not a final rule yet. (Refer to MLN 13272 in resources.)

Examples included in CR13452

Example 1:

A patient has a primary care practitioner that is the continuing focal point for all health care services, and the patient sees this practitioner to be evaluated for sinus congestion. The inherent complexity that this code (G2211) captures is not in the clinical condition itself – sinus congestion – but rather the cognitive load of the continued responsibility of being the focal point for all needed services for this patient. There is previously unrecognized but important cognitive effort of utilizing the longitudinal relationship itself in the diagnosis and treatment plan and weighing the factors that affect a longitudinal doctor-patient relationship.

In this example, the primary care practitioner could recommend conservative treatment or prescription of antibiotics. If the practitioner recommends conservative treatment and no new prescriptions, some patients may think that the doctor is not taking the patient’s concerns seriously and it could erode the trust placed in that practitioner. In turn, an eroded primary care practitioner-patient relationship may make it less likely that the patient would follow that practitioner’s advice on a needed vaccination at the next visit.

The primary care practitioner must decide, what course of action and choice of words in the visit itself, would lead to the best health outcome in this single visit, while simultaneously building up an effective, trusting longitudinal relationship with this patient for all their primary health care needs. Weighing these various factors, even for a seemingly simple condition like sinus congestion, makes the entire interaction inherently complex, and it is this complexity in the relationship between the doctor and patient that this code captures.

Example 2:

A patient with HIV has an office visit with their infectious disease physician, who is part of ongoing care. The patient with HIV admits to the infectious disease physician that there have been several missed doses of HIV medication in the last month. The infectious disease physician has to weigh their response during the visit, the intonation in their voice, the choice of words to not only communicate clearly that it is important to not miss doses of HIV medication, but also to create a sense of safety for the patient in sharing information like this in the future. If the interaction goes poorly, it could erode the sense of trust built up over time, and the patient may be less likely to share their medication adherence shortcomings in the future.

If the patient isn’t forthright about their medication adherence, it may lead to the infectious disease physician switching HIV medicines to another with greater side effects, even when there was no issue with the original medication. It is because the infectious disease physician is part of ongoing care, and has to weigh these types of factors, that the E/M visit becomes inherently more complex, and the practitioner bills code G2211. Even though the infectious disease doctor may not be the focal point for all services, such as in the previous example, HIV is a single, serious condition, and/or a complex condition, and so as long as the relationship between the infectious disease physician and patient is ongoing, this E/M visit could be billed with the add-on.


To reiterate, the most important information used to determine whether the add-on code could be billed is the relationship between the practitioner and the patient. If the practitioner is the focal point for all needed services, such as a primary care practitioner, the HCPCS G2211 add-on code could be billed. Or, if the practitioner is part of ongoing care for a single, serious and complex condition (e.g., sickle cell disease), then the add-on code could be billed. The add-on code captures the inherent complexity of the visit that is derived from the longitudinal nature of the practitioner and patient relationship.

An example of when not to use the G2211 with an office visit. Even though this add on code is allowed with a new patient office visit, use with caution, since there has not been that “longitudinal relationship” established yet. Also, if you do not anticipate or expect the patient to return for follow up in the long term, it may also not be an appropriate add on.

If an established patient presents for a recheck appointment with no new problems or concerns to “address” and the chronic condition discussion is not a concern or contributory for this encounter of a simple or low level “recheck” it would be difficult to support the G2211 along with an E/M visit.

CMS also states that not all E/M’s would be eligible. “…E/M visit complexity add-on code would not be appropriately reported, such as when the care furnished during the O/O E/M visit is provided by a professional whose relationship with the patient is of a discrete, routine or time-limited nature…” . They provide specific examples of conditions that would not require the add on complexity code: mole removal, treatment of a simple virus, seasonal allergies, new onset GERD, treatment for a fracture, and/or “when the billing practitioner has not taken responsibility for ongoing medical care for that particular patient with consistency and continuity over time, or does not plan to take responsibility for subsequent, ongoing medical care for that particular patient with consistency and continuity over time.” p. 432 Final Rule 2024.

I have heard that many practices have taken some liberties when adding the G2211 to every single E/M when the patient comes in. I will continue to discourage that practice. Above all things, services need to be “medically necessary”, and patients will also have a share of cost attached to this add on. It is being reimbursed around $16.50 on average, but 2nd quarter 2024 already has several commercial plans taking it off their fee schedule. United Healthcare, specifically, put out in their June 2024 policy update newsletter to providers, “Effective with dates of service on or after September 1st, 2024, HCPCS code G2211 will be included within the UHC Commercial Rebundling Policy, Professional Claims: UHC’s reimbursement for the services associated with G2211 is included in its reimbursement for outpatient evaluation and management services and therefore G2211 is not separate reimbursable.”

I would expect more commercial plans to follow with the over-utilization of this code in the first quarter of 2024 after the rollout. Monitor your EOB for possible denials in the future. Also, listen for updates on my CodeCast Podcast, which publishes every Tuesday.

References

Reporting SDoH G0136 in compliance

(updated 4/6/2024) – This is also posted on the NAMAS.co website

2024 brought new HCPCS codes that Medicare, Medicare Advantage and some 3rd-party Commercial plans that they will now pay for. One of those codes is the G0136; that is the Social Determinate of Health (SDoH) assessment. It is not an add on code, but a stand-alone assessment.

G0136 is defined as “Administration of a standardized, evidence-based Social Determinants of Health Risk Assessment, 5-15 minutes, not more often than every 6 months.”

G0136 is not a screening tool that should be used on all Medicare patients at office visits or annual wellness visits.

It is an assessment, not a screening. The assessment is performed at a visit after the physician/NPP has seen the patient and decides that it is necessary. And, if problems are found, follow-up is required. See CMS 2024 Final Rule citations below.

From the Final Rule, they do expect that a practitioner who furnishes the risk assessment would “… at a minimum, refer the patient to relevant resources and take into account the results of the assessment in their medical decision making, or diagnosis and treatment plan for the visit.” p.358 Final Rule.

CMS also, was clear that this is not a screening, and it requires physician follow-up.

“We reiterate that the SDoH risk assessment code, HCPCS code G0136, when performed in conjunction with an E/M or behavioral health visit is not designed to be a screening, but rather tied to one or more known or suspected SDoH needs that may interfere with the practitioners’ diagnosis or treatment of the patient.” CMS Final Rule, goes on to say, “An SDOH risk assessment without appropriate follow-up for identified needs would serve little purpose and we continue to believe that follow-up or referral is an important aspect of following up on findings from an SDoH risk assessment.” p.346 Final Rule.

Here is my professional advice on reporting this new code

The only time you would bill Traditional Medicare and/or Medicare Advantage Plans for the SDoH assessment, G1036, is when an SDoH need is suspected, identified, and a plan of care is needed to address these concerns, and at least 5 minutes or greater is documented, as described in the code. Remember, the AWV guidelines were updated this year to include the SDoH considerations, so if there are “unmet needs” that need to be addressed, report it. The appropriate SDoH needs to be identified in the medical record documentation and reported with appropriate diagnosis codes from the ICD-10-CM categories, Z55-Z65. (linking Z13.9 encounter for screening would not be appropriate)

When the patient is presenting for a problem-oriented encounter, this assessment can be done on the day of an E/M service (99202-99215), not including code 99211. Since the patient is there for a problem-oriented visit, I would want to see that there is a reason linked to the problems addressed and the SDoH that needs attention. It would not be reported for every patient, as some just come in for that 3-6 month checkup, or annual medicine reconciliation, etc, and there are no SDoH factors to consider on that DOS. As with all medical services, it has to be medically necessary to capture it.

According to CodingIntel.com, during the Final Rule CY 2024 comment period, CMS was asked about the patient using an on-line portal rather an having the service done on the day of an E/M service and can that be considered the assessment. The short answer is No. Again, CMS believes that this is not a screening, but an assessment, and is to be used when the practitioner believes that the patient has unmet SDoH needs that are interfering with the diagnosis or treatment of an illness, so this needs to be an in-person assessment.

(source: https://codingintel.com/screening-for-social-determinants-of-health-sdoh/ )

CMS did not finalize the requirement that the assessment must be done on the same day as one of these visits, but it seems likely that is when it will be done. They do not believe it will be performed in advance, via a portal, because it is not a screening. It is performed as an assessment based on the practitioner’s evaluation of the patient’s situation.

Also, it is important to remember that G0136 will be subject to cost sharing, (co-pay and deductible) unless it is done at an Annual Wellness Visit (AWV), codes G0438-G0439. The published guidance, when performed on the same date as the AWV, states, that the G0136 will need a -33 modifier to waive the out of pocket for the patient.

Here is the reimbursement breakdown

  • Non-Facility total RVU is 0.57 = $18.39 (office)*
  • Facility total RVU is 0.18 = $5.99 (hospital, SNF, CAH, etc..)*

(* For services after 3/9/2024 the adjusted CY CF is $33.2875)

Some examples of SDoH factors (diagnoses) per NIH.gov

  • Illiteracy and low-level literacy —> Low health literacy may require different or more extensive efforts with patient education (i.e. all verbal instruction because patient can’t read written instructions)
  • Inadequate housing —> Patient may lack refrigeration in their home so can’t be prescribed cold storage medications, so you have to prescribe something else. May have mold infestation so have to intensify management of their asthma.
  • Extreme poverty or Low income —> May not be able to afford medications or other over-the-counter type therapies/devices.
  • Disappearance and death of family member —> May decide to defer addressing some medical issues to prioritize providing emotional support for bereavement.
  • Child in welfare custody. —> May have to spend extra time educating new foster parent on medical management or on how to provide support care for medical condition

Even though CMS does not require a specific form or tool, a link was offered on page 346 of the Final Rule. This link was offered for CMS’ Accountable Health Communities tool and is below in references and resources.

References and Cited Resources

OCR Issues a 90-day transition for HIPAA Compliant Telehealth Platforms

Under the PHE (Public Health Emergency), non-HIPAA compliant platforms (like smartphone applications FaceTime and Skype) were allowed as long as they were not public facing (i.e., TikTok, Vimeo, etc).

But with the PHE winding down in less than a month, the OCR (Office of Civil Rights) originally state that this flexibility would expire with the PHE. Meaning that the platform used for all Telehealth encounters has to be HIPAA protected.

The Office of Civil Rights, updated this statement in April and said they are “providing a 90-day transition period for healthcare providers to come into compliance with the HIPAA Rules regarding telehealth, according to the HHS OCR.”

The transition period will be in effect beginning on May 12 and will expire at 11:59 p.m. on August 9.

OCR said it would continue to exercise its enforcement discretion and not impose penalties on covered providers for noncompliance during the 90-day transition period. Once the transition period ends, patients will no longer be able to use their non-HIPAA smartphone apps for their Telehealth encounters. They will need to access HIPAA-secured platforms, and physician practices should make sure they are also posting this alert and change in plain sight for patients. They have been used to 3 years of relaxed rules, and these rules will be back to pre-PHE status by August. The time is now to start making the transition.

Other telehealth provisions expire at the end of 2023 and 2024. Look for our Medicare 1st and 2nd Quarter NSCHBC Webinars for more information on all statuses of the 1135 Waiver Flexibilities at https://nschbc.org/catalog_qtrly.

Why This Matters

HIPAA Enforcement Discretion is expiring with the end of the COVID-19 Public Health Emergency on May 11, according to the OCR notice on April 11.

OCR issued four Notifications of Enforcement Discretion that applied to certain violations of HIPAA rules during the PHE. These were related to community-based testing sites; using protected health information for public health; scheduling appointments for COVID-19 vaccinations; and telehealth.

The “Big Picture”

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, with the expiration of the COVID-19 public health emergency.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules of HIPAA would be applied to certain violations during the COVID-19 nationwide public health emergency.

These Notifications and the effective beginning and ending dates are:

  • Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency, effective from March 13, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency, effective from March 17, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, effective from April 7, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency, effective from December 11, 2020, to 11:59 pm May 11, 2023.

The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: https://public-inspection.federalregister.gov/2023-07824.pdf – PDF.

On The Record

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the healthcare sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for healthcare providers to make any changes to their workflow operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

References

(PHE) Public Health Emergency set to end on May 11th

An announcement on Monday, January 30th, by the OMB (Office of Management and Budget), and the White House, stated that they plan to end the COVID-19 national emergency and public health emergency on May 11th.

The end of the emergency declarations would signal a new chapter in the Biden administration’s response to the COVID pandemic. The (PHE) public health emergency was enacted by the Trump administration in 2020, in response to the COVID-19 pandemic and has been extended 12 times in the past almost, three years, by our former and current HHS Secretary.

The White House’s plan to end the public health declaration on May 11 came in a statement opposing two Republican House Bills that would end the emergency declarations sooner.

“This wind-down would align with the Administration’s previous commitments to give at least 60 days’ notice prior to termination of the PHE,” the White House said in a statement. In August 2022, CMS issued a statement on its website, encouraging providers and hospitals to start their processes for moving away from the public health emergency¹.

Why this matters

The end of the emergency will also mean states must start the laborious process of redetermining Medicaid eligibility for more than 3 million covered patients.

Congress’ end-of-year spending package gave clarity on another part of the public health emergency: the end of the continuous coverage requirement for Medicaid.

At the start of the pandemic, the federal government increased the matching rate for Medicaid payments to states, but only if the state would not drop anyone off Medicaid’s rolls for the duration of the public health emergency. The spending package, however, enabled states to start Medicaid eligibility redeterminations on April 1. This was necessary because many patients went back to work, were not eligible for Medicaid, and are sitting with dual coverage, which is very expensive for states when the patient has employer-sponsored health insurance already.

The White House statement went on to say, “Ending these emergency declarations in the manner contemplated by H.R. 382 and H.J. Res. 7 would have two highly significant impacts on our nation’s health system and government operation,” the statement said. “An abrupt end to the emergency declarations would create wide-ranging chaos and uncertainty throughout the health care system—for states, for hospitals and doctors’ offices, and, most importantly, for tens of millions of Americans.”

However, the statement did not take into account the 2022 Consolidated Appropriations Act and the 2023 Omnibus Bill that was signed into law on 12/29/2022, which will extend many of the 1135 Waiver Flexibility under the CARES Act, including Telehealth once the PHE ends.

The Omnibus Act, which Congress passed late last year, extended many Telehealth services and reimbursements under Medicare. One rule of note was the originating site requirements for patients receiving Telehealth services. They may still use their home as an “originating site” to receive Telehealth services. The rules on crossing State-lines however, have expired in many states and we encourage practices to research if their state will still allow their physician to practice medicine in a state where they are not licensed. Most won’t. The link below will help in this determination².

The current PHE was set to expire on April 11th, 2023. The original national emergency that was declared on March 13, 2020, was set to expire on March 1, the OMB said.

The announcement gives providers more than their promised 60-day notice of the end of the PHE and the termination of many of the waivers the Centers for Medicare and Medicaid Services put in place to ease restrictions on hospitals and other providers during the public health emergency.

The Biden administration plans to extend the national emergency declaration and the PHE to May 11th, and then end both emergencies on that date.

The OMB also announced on Monday that H.R. 497, which it opposes, would end the COVID-19 vaccine mandates for healthcare providers. Once the PHE ends, it is unclear if those mandates will be lifted, but it appears that they will be.

The larger picture

The PHE has been extended 12 times since it was first made in January 2020, effective March 1st, 2020.

The current PHE, extended by current Health and Human Services Secretary Xavier Becerra on January 11, was scheduled to end on April 11. The providers’ promised 60-day notice would have been on February 10th. This is an additional 30 days to that 60-day promise to work on the rollbacks.

What hasn’t been addressed in the post-PHE era

  • Audio-only Telehealth was extended through 2024 for some services, but “payment parity” was only extended through 2023.
  • New patients were allowed to be seen under the PHE, but once the PHE ends, only established patients will be able to receive Telehealth services, reverting to the original rule that there “..has to be an established patient relationship..” to engage in Telehealth services.
  • OCR (Office of Civil Rights) office announced after the OMNIBUS Bill was signed into law, that even though Telehealth will still be allowed through 2024, the non-HIPAA platforms that were allowed, (e.g. Skype and FaceTime), will no longer be an option. Patients and Providers will have to engage in HIPAA-secured platforms for the delivery of Telehealth.
  • Behavioral Health Services will continue to be allowed under Audio and Video, and Audio-only rules, with some restrictions and identifying modifiers.
  • The POS (Place of Service) can continue to be the POS that would have been appropriate if the patient was seen in person. However, POS 10 can be used when the patient’s originating site is their home. Reimbursement may be based on facility rates instead of non-facility rates.

There are more rules to discuss. I invite you to join me at the NAMAS 2023 Virtual Conference where the session of Telehealth – post-PHE will be presented by Healthcare Consultant and SME Terry Fletcher and Healthcare Attorney Brianna Santolli, Esq. April 5th and 6th, 2023. Also, this topic of post-PHE will be discussed in my Medicare 1st Quarter Webinar update with NSCHBC.

You can register here: https://nschbc.org/catalog_qtrly

 

References:

¹ Creating a Roadmap for the End of the COVID-19 Public Health Emergency | CMS

² https://www.cchpca.org/topic/cross-state-licensing-professional-requirements/

 

What’s changing with the new 2023 AMA CPT E/M update?

Physician practices have been trying to keep up with all of the recent changes that have been made to the Evaluation and Management Codes over the past 2 years in the office setting.

In 2021, AMA CPT® Editorial Panel approved and published new documentation guidelines for Office and Other Outpatient Evaluation and Management (E/M) CPT® codes (99202-99215, deleting 99201) and their code descriptors and documentation standards that directly addressed the continuing problem of administrative burden for physicians in nearly every specialty, across the country.

After these revisions were implemented, in 2021, it has been challenging for physicians to manage two sets of documentation rules, since the office visits were the only rules updated and the 1995/1997 documentation guidelines were still in place for all hospital E/M services.

However, announced this past week, is some good news. The CPT® Editorial Panel has now approved, for 2023, additional revisions to the rest of the E/M code section. These revisions seek to provide continuity across all the E/M sections, by allowing for the revisions implemented in the E/M office visit section in 2021 to extend to all other E/M sections beginning January 1st, 2023.

Medicare (CMS) also has a stake in this update and published their version of the new updates in their recent (July 7th) newsroom article.

Evaluation and Management (E/M) Visits

As part of the ongoing updates to E/M visits and related coding guidelines that are intended to reduce administrative burden, the AMA CPT® Editorial Panel approved revised coding and updated guidelines for Other E/M visits, effective January 1, 2023. Similar to the approach we finalized in the CY 2021 PFS final rule for office/outpatient E/M visit coding and documentation, we are proposing to adopt most of these changes in coding and documentation for Other E/M visits (which include hospital inpatient, hospital observation, emergency department, nursing facility, home or residence services, and cognitive impairment assessment) effective January 1, 2023. This revised coding and documentation framework would include CPT code definition changes (revisions to the Other E/M code descriptors), including:

  • New descriptor times (where relevant).
  • Revised interpretive guidelines for levels of medical decision making.
  • Choice of medical decision making or time to select code level (except for a few families like emergency department visits and cognitive impairment assessment, which are not timed services).
  • Eliminated use of history and exam to determine code level (instead there would be a requirement for a medically appropriate history and exam).

We are proposing to maintain the current billing policies that apply to the E/Ms while we consider potential revisions that might be necessary in future rulemaking. We are also proposing to create Medicare-specific coding for payment of Other E/M prolonged services, similar to what CMS adopted in CY 2021 for payment of Office/Outpatient prolonged services.

The following is also a summary of some “key” revisions to the E/M code descriptors and guidelines for 2023 will be.

  • Expect deletion of observation CPT® codes (99217-99220, 99224-99226) and merged into the existing hospital care CPT codes (99221-99223, 99221-99233, 99238-99239), with updated code descriptors.
  • Consultations will get a facelift, with the deletion of some confusing guidelines, including the definition of “transfer of care”.
  • In keeping with the level one CPT® code deletions of 2021, as MDM duplication, expect to see the deletion of lowest level office (99241) and inpatient (99251) consultation codes to align with four levels of MDM, in 2023.
  • Nursing facility services, along with home and residence services will also see revisions in line with similar documentation rules as the 2021 office visit revisions.
  • Home and residence services or what is also referred to as the domiciliary or rest home CPT® codes (99324-99340) were deleted and merged with the existing home visit CPT® codes (99341-99350).

The CPT® Editorial Panel worked to again, create revisions to the E/M code descriptors and guidelines that met their objective to decrease the administrative burden of excessive documentation whenever possible. We hope as physicians continue to embrace these changes, that it will decrease the need for audits, through the expansion of fundamental definitions of E/M encounters, and by focusing on patient care, and not the unnecessary and potential non-contributory work of cut and paste, templated items.

We will be presenting Educational Webinars OnDemand and Live on E/M updates to make sure everyone is up to speed on their updates prior to implementation, 1-1-2023. These will be scheduled this fall. Continue to visit our website for an updated educational calendar.

References and Resources

PHE Extended But Some Waivers Expired

The PHE was renewed another 90-days effective April 16th, 2022, but what 1135 waivers expired?

Renewal of De​​termination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective April 16, 2022, the ​January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021, July 19, 2021, October 15, 2021, and January 14, 2022, that a public health emergency exists and has existed since January 27, 2020, nationwide.

As expected, the COVID-19 PHE (Public Health Emergency) has been extended another 90-days, effective April 16th, 2022. This means that “most” waivers under the 1135 CARES Act of 2020 will continue to stay in effect through this period, through July 19th, while others are winding down.

CMS has already alerted providers that many nursing home compliance standards will phase out, while still protecting those residents.

During the PHE, CMS used a combination of emergency waivers, 1135 Regulations, and sub regulatory guidance to offer healthcare providers the flexibility needed to respond to the COVID-19 pandemic. CMS is ending specific waivers to two groups: One will end 30-days from the issuance of the new guidance and the other group will terminate 60-days from issuance.

Telehealth

The good news is that access to certain services, primarily Telehealth Coverage, continues not only through July, under the waiver 1135 flexibilities, but also with the Consolidated Appropriations Act of 2022 Congressional extension, it will continue to be covered for 151 days after the PHE ends. But what does that mean exactly and are there any variables that need to be addressed?

Telehealth with the patient using their home as the originating site, will continue to be allowed when billing for office visits when an audio and video connection exists.  Audio only visits billed with telephone CPT® codes, will continue for another 90-days as well.

However, there was a new PHE Fact sheet that was published on April 7th, (see link to this sheet below), that addressed some compliance issues that have not been addressed during the PHE, and this could be problematic for many physician practices.

Question 5: Can Medicare fee-for-service rules regarding physician State licensure be waived in an emergency?

The HHS Secretary has authorized 1135 waivers that allow CMS to waive the Medicare requirement that a physician or non-physician practitioner must be licensed in the State in which s/he is practicing for individuals for whom the following four conditions are met:

  1. The physician or non-physician practitioner must be enrolled as such in the Medicare program,
  2. The physician or non-physician practitioner must possess a valid license to practice in the State which relates to his or her Medicare enrollment,
  3. The physician or non-physician practitioner is furnishing services – whether in person or via telehealth – in a State in which the emergency is occurring in order to contribute to relief efforts in his or her professional capacity, and
  4. the physician or non-physician practitioner is not affirmatively excluded from practice in the State or any other State that is part of the 1135 emergency area.

In addition to the statutory limitations that apply to 1135-based licensure waivers, an 1135 waiver, when granted by CMS, does not have the effect of waiving State or local licensure requirements or any requirement specified by the State or a local government as a condition for waiving its licensure requirements. Those requirements would continue to apply unless waived by the State. Therefore, in order for the physician or non-physician practitioner to avail him or herself of the 1135 waiver under the conditions described above, the State also would have to waive its licensure requirements, either individually or categorically, for the type of practice for which the physician or non-physician practitioner is licensed in his or her home State.

Many practices made assumptions that if CMS and Medicare said you can do it, that this was a blanket waiver for all states and all payers. Not true.

Question 10: Does a PHE declaration waive or preempt state licensing requirements for healthcare providers?

No, a PHE declaration does not waive or preempt state licensing requirements. States determine whether and under what circumstances a non-Federal healthcare provider is authorized to provide services in the state without state licensure. As discussed in response #5 above, when the Secretary issues an 1135 waiver, the Secretary may waive Medicare, Medicaid or SCHIP requirements that physicians and other health care professionals hold licenses in the State in which they provide services. This would be for Medicare, Medicaid or SCHIP reimbursement purposes only, and would apply only if the physicians or other health care providers have an equivalent license from another State (and are not affirmatively barred from practice in any State in the emergency area).

Again, these clarifications were made on the PHE, not included in the COVID-19 FAQ Sheets. This may be confusing for some practices, as again assumptions made where not clear. I would strongly urge physicians who treated patients during the PHE, via Telehealth in other states, to check with their personal liability insurance coverage and their healthcare attorney to make sure no infractions of the rules were made. Also, any retired physicians that were allowed, again, under the COVID-19 waivers, to come out of retirement and see patients via Telehealth for Medicare, did your state allow this for private insurance and self-pay patients? Many state level PHE Waivers expired in 2021, and early 2022.

We strongly urge clients and physicians to check with their liability/malpractice insurance and their state legislature rules on Telehealth, and what is allowed for physicians continuing to cross state lines with virtual care. Protect yourself and your practice by being informed. If you need any assistance finding this information, please use our “Contact Us” tab to engage services.

References

Renewal of Determination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective October 18, 2021, the January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021 and July 19, 2021, that a public health emergency exists and has existed since January 27, 2020, nationwide.

Source: https://www.phe.gov/emergency/news/healthactions/phe/Pages/COVDI-15Oct21.aspx

Are you a HIPAA entity? The “Privacy Law” is probably not what you think.

If you have heard the acronym HIPAA thrown around a lot lately, you are probably thinking, “Do I know what HIPAA means?”. So many are throwing that term around in the falsehood that their legal or privacy rights are being violated in some way as more and more companies are requiring COVID-19 vaccines to secure employment, to stay employed, and now, let’s face it to enter certain public places or to travel.

Well first, let’s clear up the confusion.

The first thing you should know about HIPAA is that it’s HIPAA, not HIPPA. There is only one P, and that P doesn’t stand for “privacy.”

“People make up what that acronym stands for,” Deven McGraw, co-founder, and chief regulatory officer of the medical records platform Citizen and former deputy director for health information privacy at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), had stated in a recent interview.

“More often than not, [they think it’s] Health Information Privacy Protection Act: HIPPA. Yeah, that law does not exist.”, McGraw said.

But now, we see the media asking government officials like Georgia Rep., Marjorie Taylor Green, or Dallas Cowboy quarterback Dak Prescott, or New England Patriots quarterback Cam Newton, all ‘invoke” their HIPAA rights. Green even claimed, more than once, that just asking the question was somehow a “violation of her HIPAA rights”. Incorrect. As more and more employers and healthcare entities and even schools, mandate that employees and students get vaccinated, we need to make sure we are clear on not only what HIPAA is, but how it is applied.

So let’s get one big question out of the way first:

Is it a HIPAA violation for your employer to require vaccines?

No.

Nor is it a HIPAA violation for them to ask for proof that you have been vaccinated, though many people seem to think that providing or even soliciting any sort of health information automatically becomes a HIPAA issue.

Employers do have to keep their employees’ vaccination statuses confidential, but that’s because of the Americans with Disabilities Act — not HIPAA, which, again, doesn’t apply here.

Why HIPAA is so misunderstood?

Both the misspelling and the widespread belief that HIPAA confers a strict set of privacy protections to any health data — and that everyone is subject to those laws — are common, although frustrating mistakes: Most patients only come across the term HIPAA, when signing the notice of privacy practices that the law mandates their health care providers have them sign. Plus, most people consider their health information to be very sensitive and assume their physicians and lawmakers have put the appropriate guardrails in place to keep it as private as possible. But HIPAA’s privacy rules are more limited than many may realize.

What is not well understood about HIPAA, is its limits. It’s very specifically a law that regulates information that is collected because a person is seeking health care.

Normally, the misunderstanding would be just an annoying misstep, but the pandemic has helped bring health privacy issues to the fore. As with many other things over the past year, we’ve moved many of our health interactions to the virtual space, and with the CMS 1135 Waiver flexibilities, under the C.A.R.E.S. Act, some of those interactions may not be covered or protected by HIPAA, but many people simply assume they are.

For example: If you are participating in a Telehealth encounter with your physician, and you are using a smartphone application, such as FaceTime or Skype, as allowed under the Waiver 1135 during the PHE, these platforms are not HIPAA protected, and your physician must inform you of that potential risk of breach of your personal health information before you choose to continue with your visit. This also has to be well documented in the encounter that you were informed, in the way of consent.

What has happened since about 2-3 months into the pandemic, is that it has become increasingly politicized, and many people have cited “HIPAA rights” as an excuse to get out of mask mandates and to declare vaccine passports and mandates to be illegal. Neither of these assertions is true, but that hasn’t stopped many people from making them — even though using them to avoid public safety measures could be harmful to everyone. People have such a high level of confidence believing misinformation, that it is out of control in the COVID era.

The perception that HIPAA is solely a health privacy law that everyone is subject to has become so common that there’s a massive amount of confusion about who and what HIPAA applies to; that the sheer volume of bad information about it is nearly insurmountable.

Social media platforms have been a problem when attempting to give credible information. Trying to get people to understand what a “Covered Entity” or “Business Associate” is in 280 characters is not an easy task. These platforms can write the words, but of course, people will believe what they want, and if it is contrary to what they want it to mean, then the platform doesn’t lend itself well to a considered nuanced discussion.

What HIPAA does

So what does that one P stand for if not privacy? Portability.

HIPAA is short for the Health Insurance Portability and Accountability Act. The 1996 law’s origins lie in creating federal standards for digitizing medical claims data and records (“accountability”) and allowing employees to have health insurance coverage, including for preexisting conditions, when they changed jobs (that’s the “portability”) — rights they did not have before the Affordable Care Act.

The privacy provision, that most of us associate HIPAA with today, wasn’t the focus of the law at the time. When Congress passed this law, they knew on some level, that there was going to be a massive digital transition to our health data in the future, and there might need to be privacy protections for that.

It took a few years to work those protections out, so HIPAA’s privacy rules weren’t issued until the end of 2000, and didn’t fully take effect until 2002. There was a recent update in 2013.

HIPAA only applies to what is called “Covered Entities.” Those are, essentially, health care providers (doctors, hospitals, and pharmacies, for instance), health insurers, and health care clearinghouses (which process medical data). It also covers their “business associates,” or contractors who have to handle medical records in some way to do work for those covered entities. Those parties are required to follow certain protocols to keep your protected health information secure and private, especially in the digital transfer of patient health information.

This is why healthcare providers or insurers might require patients to communicate with them through secure, HIPAA-compliant channels and patient portals, or take other steps to verify a patient’s identity before discussing protected health information with them. HIPAA’s privacy rule also requires that health care providers give the patient, a notice of their privacy practices,  and allow patients to access their medical records. A lot of HIPAA complaints from patients aren’t about privacy violations but about lack of access to medical records, which created the 21st Century Cures Act, to shift that focus to the OCR – Office of Civil Rights.

What HIPAA doesn’t do

It’s important to note that medical privacy didn’t begin with HIPAA, and it’s not the only health privacy law out there. The concept of doctor-patient confidentiality has existed for a long time — it’s part of the Hippocratic Oath (which is not a law) — and that trust is a necessary part of good medical care.

Patients’ have to feel a level of comfort that if they tell their physician some very private, and secret things, that they will be kept that way, and this allows a physician to give the patient the right care and diagnose them properly.

At the same time, many people freely give away their health information to all kinds of places and platforms and to people who have no real legal obligation to keep that information private or secure. With the internet and social media, this is happening more than ever.

Consider this, If you’re recording your steps on a Fitbit or you’re using a nutrition app, that’s not going to be covered by HIPAA. That is not a HIPAA entity and can use that information to market to you athletic shoes or equipment, supplements, etc.

That amazing massage therapist appointment you Tweeted about? Your vaccine card Instagram selfie? Your membership in a Facebook support group for people who have cancer? The period tracker app on your phone? The heart rate monitor on your wrist? Browsing WebMD for information about your recent COVID-19 diagnosis? The mail-order DNA test? The Uber trip you took to the emergency room? That is all health information, most of it is directly tied to you, and it can be sensitive, but none of it is covered by HIPAA (unless protected health information is shared with a covered entity, like a hospital or physician who ordered it, requested it, and asked you to deliver it that way. Even then, it is sketchy.

And then we’ve got the organizations that handle health data but aren’t covered by HIPAA, including most schools, law enforcement, life insurers, and even employers. They may be covered by other privacy laws, but HIPAA isn’t one of them.

A big hiccup to all this is that we are still under the Federal PHE, (some states have let their PHE expire). So, some things that are covered by HIPAA have been given a temporary enforcement waiver due to the pandemic. The Office of Civil Rights will not be enforcing its rule requiring health care providers to use HIPAA-compliant portals for telehealth (as long as patients were informed), nor will it require covered entities to use HIPAA-compliant systems to schedule vaccines — an issue that arose when some health services’ sign-up portals crashed and the services turned to the event scheduling platform, Eventbrite. Eventbrite is a good service for getting a lot of people signed up for an event in high demand, but it’s not HIPAA compliant, and posts events on a public forum.

The Office of Civil Rights (OCR) has stated that that enforcement discretion will remain in effect “until the Secretary of HHS determines that the public health emergency no longer exists, but again, patient’s need to be informed of this security risk, as outlined in the CURES Act and the CMS FAQ rules sheets.”

A Dose of Reality on HIPAA

Understand that if you go to Starbucks (not a covered entity) and refuse to wear a mask because you say you have a health condition, it is not a HIPAA violation if the barista asks you what that condition is, nor is it a HIPAA violation if Starbucks refuses service to you. They are a private business and not a HIPAA entity and can enforce any rules they want that they feel protects public safety and their business, as long as it is not discriminatory to a protected class (i.e race, religion, gender, disability, etc).

If your doctor were to walk into that Starbucks and broadcast your health information to anyone within earshot without your permission, that would be a HIPAA violation. It would also be a good time to consider changing doctors. Fortunately, HIPAA allows you to request your medical records and bring them to a new provider. And if someone else happened to record your doctor’s outburst and put it on TikTok, that’s not a HIPAA violation, even though it does include information that was once protected by HIPAA.

Additionally, someone asking if you’ve been vaccinated is not a HIPAA violation. It’s not a HIPAA violation for anyone to ask about any health condition you may have, though it might be considered rude. A business requiring you to show proof that you’ve been vaccinated before you can enter is not a HIPAA violation. Your employer requiring you to be vaccinated and show proof before you can go to the office is not a HIPAA violation. Schools requiring that students get certain vaccinations before they’re allowed to attend is not a HIPAA violation.

Oh, and vaccine passports — which the Biden administration has already said, it has no plans to mandate, but could change in the future – are also not HIPAA violations.

Look at certain health records apps that are all the rage now, like New York’s Excelsior Pass (ePass) to use it, you are voluntarily giving the app permission to access your health records, and, as the app’s disclaimer clearly states: “[T]he website is not provided to you by a health care provider, so, as such, you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA)).” Does anyone read the fine print anymore?

So HIPAA isn’t the all-inclusive health privacy law so many people assume it is, but that mass assumption suggests that such a law is both wanted and may be needed. HIPAA has a lot of gaps that a privacy law can and should fill. The pandemic has only made this more apparent.

What we need is for Congress to pass a comprehensive privacy law that sets limits on what the companies can use this data for, how long they can keep it, who they can disclose it to, and doesn’t put the burden of dealing with that on the individual.

Rep. Suzan DelBene (D-WA) is one of several lawmakers who have pushed for better health privacy protections during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill that was introduced in both houses of Congress in 2020 and reintroduced in early 2021. Its premise is that it would protect digital health data collected to stop the pandemic (for instance, by contact tracing apps or vaccine appointment booking tools) from being used for unrelated purposes by the government or private businesses.

HIPAA provides some protections for our health information, but technology has advanced must faster than our laws.

In the meantime, if you have any question whether or not you or another business or person is a “Covered Entity” and needs to comply with HIPAA standards, CMS has a tool to help health care providers and organizations determine whether or not they are considered a covered entity. The link is included below. Also, join me (Terry Fletcher), and Healthcare Attorney, and fellow NSCHBC member, Amanda Waesch for our October 12th, episode of the NSCHBC Edge podcast. We will be discussing this very topic and diving into the legalities of these mandates and how they will affect healthcare providers soon.

You can also listen to Terry each week on her CodeCast Podcast found on all downloadable platforms.

References:

Renewal of Determination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective July 20, 2021, the January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021, that a public health emergency exists and has existed since January 27, 2020, nationwide.

Visit PHE.gov for more information.