Implications for Telehealth in a Postpandemic Future: Regulatory and Privacy Issues

The coronavirus disease 2019 (COVID-19) pandemic has required health care systems to radically and rapidly rethink the delivery of care. One of the most remarkable ongoing changes has been the unprecedented accelerated expansion of telehealth. The pandemic may provide the incentive needed to realize the potential of telehealth. Nevertheless, concerns remain that safety and privacy may be compromised by rapid deregulation, despite data, although limited, regarding good overall quality.¹ In studies conducted before the COVID-19 pandemic, patients reported high levels of satisfaction.²

This Viewpoint describes some of the most important telehealth regulatory changes that have occurred in response to COVID-19 and discusses some of the opportunities and challenges inherent in successfully harnessing the unexpected expanded role recently given to telehealth in the US.

One of the most significant changes for telehealth related to the COVID-19 pandemic has been payment parity between telehealth and in clinic care. Previously, many states required insurers to cover telehealth but did not stipulate payment parity.³ Low reimbursement for telehealth was viewed as a critical disincentive. Without payment, it would be difficult for clinicians to afford to provide the service, despite data from previous studies suggesting clinicians were broadly supportive about its use.⁴ At the same time, payment rates should reflect the cost of the service, avoiding overpayment if clinicians can use telehealth to deliver more visits per session. The concept of payment equity is emerging so as to avoid perversely incentivizing the use of telehealth encounters.

Recognizing the need for incentives, some private payers and Medicaid programs announced payment parity for telehealth for the duration of the pandemic.⁵ For instance, for a routine primary care visit, such as for a 20- to 30-minute visit with a physician, Louisiana Medicaid reimbursement for 2020 would be $33.95 for a telehealth visit (Current Procedural Terminology [CPT] code 99443), compared with $62.65 for a physical visit (CPT code 99214). This payment parity is a necessary step, as there has been a substantial shift in some clinics, increasing the proportion of telehealth visits from 10% before the pandemic to more than 90% telehealth work during the pandemic.⁶ Regulatory change governing payment parity will need to be sustained after the pandemic, and adequate reimbursement for telehealth will be an important factor to maintaining broad adoption. Without these changes in reimbursement, some small practices, especially in rural areas, may encounter financial difficulty because of reductions in physical clinical visits.

Payment also remains a problem at state boundaries, because in many cases, billing is not approved across states. Cross-state billing remains a significant barrier for clinicians who are not part of an in-state health care network.

Patient privacy regulations, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also has been perceived as a potential barrier to a wider adoption of telehealth. Given the importance of secure and private channels of communication, some clinicians may be challenged in finding telehealth technology partners willing to sign business associate agreements given the prepandemic requirements for security and privacy.

In response to the pandemic, the Office for Civil Rights at the Department of Health and Human Services issued a notice of enforcement discretion, stating that it will not impose penalties for HIPAA violations that occur during the good faith provision of telehealth during the COVID-19 emergency.⁷ This allows clinicians and health care entities to use platforms that are not HIPAA compliant, such as Facetime and other commonly used channels. This practical approach was needed to increase telehealth services quickly but will require careful consideration of the long-term issues with these platforms.

However, a more nuanced approach to privacy may be needed after the pandemic to support telehealth expansion. Privacy concerns should not interfere with the actual need of patients to receive care on a timely basis. HIPAA regulations may need to be revisited, so patients could be given the responsibility and ability to share their health information with clinicians who require that information. While the risk for privacy intrusions under the pandemic standards, such as “Zoom bombing”—which is when disruptive, uninvited users force their way into a virtual meeting—needs to be acknowledged, privacy may not be the most important concern during a crisis. However, when the pandemic begins to resolve and for situations in which the need for care is not urgent, due diligence is necessary to ensure that privacy is addressed appropriately. Guardrails, such as periodic audits, would be needed to ensure security. Perhaps, similar to systems in the financial sectors (ie, personal access to bank accounts and investment accounts), a more user-friendly approach to privacy may be possible for personal health care delivery.

Telehealth also has been limited by geographic rules that govern medical licensing. Previously, some states, such as Ohio, New Mexico, and Texas, created special telehealth licenses and other states, such as Arizona, Tennessee, and Vermont, entered into the Interstate Medical Licensing Compact to enable out-of-state physicians to practice in their jurisdictions via telehealth.³

In response to COVID-19, some states are relaxing or eliminating certain licensure requirements. This trend has enabled some clinicians from one state to care for patients in a different state. Because these regulations create a more permissive environment, however, mechanisms are required to ensure verification of clinicians. For instance, as in the insurance and finance industries, recorded calls could be used to audit and monitor the quality of care (which some platforms have already incorporated),⁸ although provisions to guarantee patient privacy and confidentiality would need to be established. Another approach may involve federal telehealth practitioner licensing, which could reduce the compliance burden for physicians who practice telehealth in more than 1 state.

To maintain the impetus for change and the momentum for telehealth services that have resulted from the COVID-19 pandemic, the US cannot revert to prepandemic telehealth regulations. Neither can the US simply adopt the recent changes, because they lack nuance to support clinicians while ensuring safety and privacy for patients: a third regulatory path is needed.

First is the issue of safety. Is the health professional on the video conference call qualified and competent? The current economy has found ways to qualify and certify the services provided by delivery drivers and online portals, but those methods are not foolproof. Quality evaluation must be built into the telehealth process. Quality evaluation remains a challenging priority to accomplish, even in the context of traditional visits, and it will be no less difficult for telehealth visits.

Second is the trade-off between privacy and ease of use. Here the principles of “value architecture” can be helpful. Does all telehealth have to be embedded in current organizational electronic health care record (EHR) systems to satisfy privacy regulations? This choice results in a system in which the only access to information is via cumbersome EHR systems. Imposing such a requirement might lead to balkanization of the information that patients and clinicians need to prevent error, waste, and duplication. What if instead, patients’ health care data were stored in secure databases that allow immediate need-to-know access to past history, test results, and current medication? Lessons from relaxing HIPAA during the COVID-19 pandemic may be helpful to reconsider patient data governance.

Third are issues of access. Patients cannot realize the benefits of telehealth if physicians are not incentivized to maintain telehealth practices after COVID-19. A shift away from a geographic emphasis on licensure and restrictive networks also could facilitate more telehealth. But regulatory corrections are not as easy as they seem at first glance. Payment parity may not be realized after the pandemic, in part because telehealth visits are generally shorter than in-office visits and forgo procedures, leading to a reduction in revenue under fee-for-service. Telehealth might be a more economic way to deliver health care, but that may represent an important financial threat to practices and centers with traditional delivery structures such as fee-for-service or to those with significant capital investments in existing facilities.

Fourth is a more sophisticated approach to payment. Payment parity has been broadly implemented during the pandemic and makes the provision of telehealth financially more attractive to providers. Moving forward, however, payment equity rather than parity should be the goal. Telehealth visits tend to be shorter and include fewer diagnostic services than in-person visits. Reimbursing at identical rates as in-person visits thus would represent overpayment. The principle of equity would suggest that reimbursement rates for telehealth services should be close, but not identical to, reimbursement rates for in-person visits. Mandating payment equity and determining the optimal differential between reimbursement rates for virtual and in-person visits will require more study and careful consideration.

To ensure that the increased utilization of telehealth observed during the COVID-19 pandemic is not squandered, lessons from this period of deregulation need to be thoughtfully extracted. Some modifications, such as waiving parts of HIPAA, are clearly intended for a crisis but can suggest areas in which sustained regulatory change could be beneficial. Other modifications, such as payment equity rather than parity, should be considered but raise further questions about implementation.

Corresponding Author: Carmel Shachar, JD, MPH, Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School, 23 Everett St, Cambridge, MA 02138 (cshachar@law.harvard.edu).

Published Online: May 18, 2020. doi:10.1001/jama.2020.7943

Conflict of Interest Disclosures: Ms Shachar reported receiving a grant from the Collaborative Research Program for Biomedical Innovation Law, a scientifically independent collaborative research program supported by a Novo Nordisk Foundation grant (NNF17SA0027784). Dr Elwyn reported receiving active research grants from the Patient-Centered Outcomes Research Institute, Robert Wood Johnson Foundation, and Cystic Fibrosis Foundation and advising for EBSCO Health, PatientWisdom, Abridge AI, and Bind Insurance.

Additional Contributions: Some of the concepts and ideas incorporated in the article were based on discussion and interviews with Sanjeev Arora, MD, ECHO Institute; Elliot Fisher, MD, MPH, Dartmouth Institute for Health Policy and Clinical Practice; Matthew Handley, MD, Kaiser Permanente of Washington; Judd Hollander, MD, Sidney Kimmel Medical College at Thomas Jefferson University; Surena Matin, MD, MD Anderson Cancer Center; Lois Ramondetta, MD, MD Anderson Cancer Center; Robert Satcher, MD, PhD, MD Anderson Cancer Center; and Rahul Sharma, MD, MBA, New York Presbyterian–Weill Cornell Medical Center. None of these individuals were compensated for their participation.