On March 6, 2020, the president signed into law H.R. 6074, the Coronavirus Preparedness and Response Supplemental Appropriations Act (“Act”). This law provides $8.3 billion in emergency funding for federal agencies to respond to the coronavirus outbreak. In addition, the law allows the Secretary of the United States Department of Health and Human Services (“Secretary”) to temporarily waive certain Medicare restrictions and requirements regarding telehealth services during the coronavirus public health emergency.

Specifically, the law permits the Secretary to waive the prohibition on the use of telephones to perform telehealth services, so long as the telephone has two-way, real-time interactive audio and video capabilities, such as a smartphone. Additionally, the law permits the Secretary to relax “originating site” requirements which, under the Social Security Act, previously permitted Medicare to pay only for telehealth services provided to patients in certain limited geographic areas. H.R. 6074 now allows the Secretary to permit payment for telehealth services provided in an “emergency area” by a “qualified provider.” The term “emergency area” is defined to include the nationwide public health emergency declared by the Secretary on Jan. 31, 2020, relating to the current coronavirus outbreak. Thus, for purposes of the Act, the entire country is an “emergency area.” The term “qualified provider” is limited to a provider who has treated the patient within the last three years or a provider in the same practice as a provider who has done so. This would allow individuals to interact with their providers and providers’ offices by smartphone, but it would not allow individuals and providers to use smartphones in the context of new treatment relationships.

In terms of the scope of the services that may be provided, these waivers contemplate that any service permitted under the Social Security Act could be provided via smartphone, not just the diagnosis or treatment of coronavirus. Thus, the waivers would allow individuals to receive routine services through their smartphone without having to leave their home. This would potentially limit individuals with coronavirus symptoms from exposing others by leaving their homes, and also would enable otherwise healthy individuals to limit their own exposure by not having to visit their doctor’s office during the outbreak. It should be noted that these waivers are not anticipated to be indefinite and likely will end when the public health emergency caused by the coronavirus has ended.

As of the writing of this article, Secretary Azar had not yet acted to implement these waivers, but it is widely expected that he will do so in the near future. This is especially so given that the Congressional Budget Office (“CBO”) estimates $490 million will be spent by allowing this broader use of and payment for telehealth services for Medicare beneficiaries during the emergency period.

Finally, there is one hurdle to implementing the new telehealth provisions set forth in the Act. While these waivers would allow reimbursement for telehealth services provided through smartphones, these devices are not considered secure under HIPAA and there has been no corresponding waiver or lessening of the privacy or security standards as related to these devices. Indeed, in February, the Office for Civil Rights (“OCR”), which enforces the Health Insurance Portability and Accountability Act (“HIPAA”), reminded HIPAA-covered entities and their business associates that “the protections of the Privacy Rule are not set aside during an emergency.” OCR made clear that even in an emergency situation, “covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.” It is possible that, in response to Congress’s direction that the Secretary may allow telehealth services to be provided via smartphone, Secretary Azar may determine to loosen HIPAA requirements to further enable medical care via smartphone during this emergency. But, for the time being, HIPAA remains fully applicable to medical services provided via telehealth.