Recent Changes to Federal Telehealth Laws in Response to the COVID-19 Outbreak


By: Jason Gregoire

March 20, 2020

Health care consumers have likely heard of, or received some aspect of their care through, “telemedicine” or “telehealth” applications, software, or phone services. What many of these consumers do not know, however, is that state and federal insurance and licensing laws have lagged behind technological advances.

For example, before the COVID-19 national emergency declaration, Medicare would not pay for a telehealth service where the patient received the service in their home. Instead, patients were forced to receive telehealth services at qualifying “originating sites” such as hospitals or physician offices for these services to be covered. In addition, even though common smart phone applications like Apple Facetime and Skype can easily be used to facilitate real-time, face-to-face visits between health care practitioners and patient, federal privacy laws did not permit use of these applications because they did not meet applicable security standards.

In the wake of the COVID-19 national emergency declaration, federal regulatory bodies have relaxed existing restrictions on the provision of, and payment for, telehealth services. This alert canvasses recent changes to federal telehealth laws as of March 20, 2020.


On March 17, 2020, the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) published guidance regarding OCR’s enforcement of the major federal health privacy law, the Health Insurance Portability and Accountability Act (“HIPAA”), to various telehealth technologies that do not otherwise comply with HIPAA’s rigorous Security Rule requirements. In this guidance, OCR stated that, during the period of national emergency:

  • Health care providers may communicate with patients and provide telehealth services through “non-public facing” audio and video communications technologies even though these technologies do not comply with the HIPAA Security Rule.
    • Translation: While apps like Apple FaceTime, Facebook Messenger, and Skype were previously off-limits, practitioners can now use these apps to engage in telemedicine. “Public-facing” applications like Facebook Live, Twitch and TikTok are still off limits.
  • OCR will not impose penalties for non-compliance with applicable HIPAA’s Privacy and Security Rules in connection with a providers’ good-faith provision of telehealth services.
  • OCR’s decision not to impose HIPAA penalties applies “regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
    • Translation: Providers can treat garden-variety illnesses and conditions such as sprained ankles or rashes via telemedicine without fear of penalty because the assumption is the provider is using telehealth to avoid in-person contact and potential exposure to COVID-19.
  • Providers that elect to use telehealth technologies that do not comply with the HIPAA Security Rule are encouraged to communicate potential privacy risks to patients and enable encryption and privacy measures when available.

OCR updated this guidance again on March 19, 2020 and appears poised to continue revising this guidance to adapt to changing needs. You can find this update here.


On Monday March 16, 2020, the Centers for Medicare and Medicaid Services (“CMS”) announced that it will temporarily expand reimbursement for Medicare telehealth services effective March 6, 2020. CMS’s guidance is dense and littered with technicalities regarding billing and reimbursement for different types of Medicare telehealth services such as “telehealth visits”, “virtual check-ins” and “e-visits.”

Below is a description of the major changes that apply during the national emergency, but providers are encouraged to read the entire guidance document to ensure compliance.

  • Subject to some limitations, Medicare will pay for office, hospital, mental health, virtual check-ins and other visits by telehealth including those visits or check-ins where a patient receives the service in their home.
  • Many different types of providers such as physicians, nurse practitioners, clinical psychologists, clinical social workers and others are eligible to be reimbursed by Medicare for telehealth services.
  • CMS is waiving the requirement that Medicare telehealth patients reside in a “designated rural area” or receive services at a qualifying “originating site.”
  • CMS will not conduct audits to determine whether a pre-existing relationship existed between provider and patient for those Medicare telehealth visits that usually require a prior, established relationship in order to be covered.
  • The U.S. HHS Office of Inspector General will allow providers to reduce or waive cost-sharing (e.g. co-pays and co-insurance) for telehealth visits paid by federal healthcare programs.

You can find the CMS guidance here.

Prescription of Controlled Substances

Since 2008, the federal Ryan Haight Online Pharmacy Consumer Protection Act has served as a barrier to the prescription of controlled substances such as opioids through telemedicine because it requires practitioners to conduct an initial, in-person examination with a patient before prescribing controlled substances. This limitation has prevented patients in rural areas or those without an established physician relationship from obtaining necessary medications such as buprenorphine to combat opioid addiction from remote providers.

On March 16, 2020, the U.S. Drug Enforcement Agency and Secretary of Health of Human Services invoked a waiver in federal law to permit DEA-registered practitioners in the U.S. to issue prescriptions for all schedule II-IV controlled substances through telemedicine to patients with whom they have not conducted an in-person medical evaluation as long as the following conditions are satisfied:

  • “The prescription is issued for a legitimate medical purpose by a practitioner acting within the scope of his/her practice”;
  • “The telemedicine communication is conducted using an audio-visual, real-time, two-way, interactive communication system”; and
  • “The practitioner is acting in accordance with applicable Federal and State laws.”

This guidance states that “practitioner” includes physicians, dentists, veterinarians, and other persons licensed, registered, or otherwise allowed by the U.S. or the jurisdiction in which/he she practices to prescribe controlled substances. Before prescribing controlled substances by telehealth, practitioners should ensure that neither state law nor their professional licensing boards prohibit this practice.

You can find this guidance here.


Applicable laws, regulations, sub-regulatory guidance, and policies are changing daily. Providers should consider professional licensing, privacy, and other state and federal laws before engaging in these expanded telehealth practices. We will continue to update you on changes to the telehealth landscape. In our next update, we will survey changes to New Hampshire and Massachusetts’ telehealth laws in response to the Coronavirus pandemic.