Audio-Only Medicaid Telehealth Policies
In response to the COVID-19 crisis, many state Medicaid agencies implemented temporary telehealth service delivery and reimbursement policies that allow for both audio/visual and audio-only telehealth modalities. As states begin to consider their longer-term telehealth policies for the period following the COVID-19 public health emergency, many are looking to continue covering and paying for limited audio-only telehealth, particularly in rural areas and for some targeted services (e.g., behavioral health). The following describes the legal authority that permits states to continue to authorize Medicaid reimbursement for audio-only telehealth after the public health emergency ends.
Medicaid Reimbursement for Audio-Only Telehealth
There are no federal Medicaid prohibitions on any form of telehealth for state plan services, including the use of audio-only telehealth. While states have discretion in defining their state telehealth policies, there may be some instances when states will be required to submit a State Plan Amendment (SPA) to authorize reimbursement. Specifically, if a state has different payment rates for audio-only versus in-person services, a state will need to memorialize the unique reimbursement policy for telehealth in its state plan.
Health Insurance Portability and Accountability Act (HIPAA) and Audio-Only
There has been some confusion about whether HIPAA requirements prohibit providers from engaging in, and state Medicaid agencies from reimbursing for, audio-only telehealth outside of the public health emergency. Telephone communications meet the HIPAA conduit exception, as described further below, and providers may engage in telephone calls with patients in compliance with HIPAA so long as the provider:
- Does not allow the cell phone carrier to access or store the information discussed during the call absent a business associate agreement (BAA). Generally, HIPAA covered entities need to enter into a BAA with any vendor that has access to protected health information (PHI) on their behalf. However, under the conduit exception, “entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission service” are not considered business associates. Therefore, covered entities do not need to enter into BAAs with those organizations, so long as couriers do not access or store the PHI. In other words, a provider would not need to enter into a BAA with a cell phone carrier to engage in audio-only telehealth, so long as the carrier does not access or record the call.
- Does not share any information that existed in electronic form immediately prior to the call. Under the HIPAA security rule, covered entities must assess the security practices of their vendors and typically need to assess whether they encrypt data. Importantly, this rule applies to electronic PHI (ePHI) only, which is transmitted and maintained in “electronic media.” Per 45 CFR 160.103, “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.” If a provider were to share PHI over the telephone, that PHI would not be considered ePHI–and therefore would not be subject to HIPAA security requirements–so long as that information did not exist in electronic form immediately prior to the call.
State Medicaid agencies have broad discretion in setting telehealth coverage and payment policies after the public health emergency, including deciding to cover and pay for audio services. Similarly, providers have considerable flexibility in engaging in telephone calls with patients, in compliance with HIPAA. For more information regarding Medicaid audio-only telehealth, please contact SHVS’s technical assistance partner, Patricia Boozang at Manatt Health (firstname.lastname@example.org).