A government watchdog recently evaluated the use of telehealth services since Medicare temporarily waived restrictions due to the COVID-19 pandemic. It found that Medicare hasn’t comprehensively assessed the quality of care patients received and lacks data on telehealth services delivered in patients’ homes via video or phone.

The U.S. Government Accountability Office (GAO) is calling for the Centers for Medicare & Medicaid Services (CMS) to strengthen its telehealth oversight of both phone and video visits and for the Office for Civil Rights (OCR) to help providers better explain privacy and security risks to patients.

The GAO report determined that the agencies must strengthen their oversight of telehealth services, including assessment of the quality of those services, before Congress takes action to expand or extend telehealth access once the COVID-19 public health emergency expires.

The use of telehealth services increased 10-fold during the pandemic. There were 53 million telehealth visits in April-December 2020 compared to five million during the same period in 2019. The GAO learned that CMS was unable to identify which services used audio-only or video. Furthermore, CMS hadn’t assessed the quality and had no plans to assess the quality of the services.

“It’s essential to know whether they [the services] are medically necessary, equitable, and whether they lead to improved health,” said GAO's Leslie Gordon, acting director, health care, during a podcast about the report. “It's also important because right now CMS is paying the same amount whether you go in-person, you have a video visit, or if you talk to your doctor on the phone.”

The GAO also looked at the privacy and security of telehealth since OCR relaxed its enforcement of privacy and security rules during the pandemic, Gordon explained. This was necessary so people could connect with their doctors, regardless of the video technology platform. However, she said, it’s likely some of those platforms didn’t meet the privacy and security requirements. And, the report noted, patients may not realize that their private health information could be overheard or inappropriately disclosed during their video appointment.

“The problem was the agency doesn't know if providers are explaining the risks to their patients. And here we are more than two years later, HHS Office for Civil Rights still isn't enforcing the privacy and security requirements and we don't know who's aware of those risks,” she said.

As a result, GAO recommends that CMS and OCR take the following actions:

  • CMS better track audio-only telehealth services by developing an additional billing modifier or by clarifying its guidance regarding billing of audio-only office visits.
  • CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE. The assessment could include leveraging evidence from related efforts led by other U.S. Department of Health and Human Services (HHS) agencies.
  • OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.

HHS neither agreed nor disagreed with the three CMS recommendations and concurred with the OCR recommendation.