US Pharm. 2020;45(5):24-27.

On January 31, 2020, the U.S. Department of Health and Human Services (HHS) declared a nationwide public health emergency (PHE) as a result of the 2019 novel coronavirus (COVID-19). Since that declaration, federal and state government authorities have issued guidance and waived restrictions on the use of telehealth technologies and services. The government authorities have taken these actions, recognizing the usefulness of telehealth technologies and services in improving access to care, speeding diagnosis and treatment, and limiting the risk of person-to-person spread of COVID-19. Healthcare professionals believe that expanded capacity will help preserve access to in-person care for those in critical need and allow a majority of initial screenings to happen outside of a hospital or other healthcare setting.1

Telehealth Technology and Services

Although telehealth is defined differently by federal and state legislatures and government authorities, it may be useful to review a baseline definition. For purposes of Medicare, “telehealth services” means certain professional consultations, office visits, office psychiatry services, and any additional service specified by the HHS Secretary. The HHS Health Resources and Services Administration (HRSA) defines telehealth as the use of electronic information and telecommunications technologies to support and promote, at a distance, healthcare, patient and professional health-related education, and public health and health administration. Technologies recognized by HRSA include video conferencing, the Internet, store-and-forward imaging, streaming media, and landline and wireless communications. As a result, HRSA regards a wide range of technologies as comprising telehealth technologies. Regardless, pharmacists should review the law at the state and federal levels to identify those technologies and services that are permitted as authorized practice and are reimbursable.2

The Federal Response to the COVID-19 PHE

Since the beginning of March 2020, the federal government has enacted two phases of legislation addressing telehealth services. In the first phase, Congress enacted and the President signed into law the Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020 (CPRSA Act). This act allows the HHS Secretary to temporarily waive or modify certain Medicare requirements regarding payment of telehealth services provided during emergency periods.3 On March 27, 2020, the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) was signed into law (see SIDEBAR 1).4

The President’s Emergency Proclamation, Medicare, Medicaid

During the interim period between the CPRSA Act and the CARES Act, President Donald J. Trump issued an Emergency Proclamation, granting the HHS Secretary authority under the Social Security Act, Section 1135, to temporarily waive or modify certain requirements of the Medicare, Medicaid,  and state children’s insurance programs and of the Health Insurance Portability and Accountability Act (HIPAA).5

The same day as the Emergency Proclamation, the HHS Secretary waived requirements that physicians or other healthcare professionals hold licenses in the state in which they provide services if they have an equivalent license from another state (and are not affirmatively barred from practice in that state or any state, a part of which is included in the emergency area). This action consequently waived certain licensing requirements as conditions of participation and payment in federal healthcare programs. However, state law continues to govern whether a nonfederal provider is authorized to provide services in a state without state licensure.

As of April 10, 2020, 43 states and the District of Columbia have modified in-state licensure requirements for telehealth in response to COVID-19, including Alabama, Alaska, California, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington DC, West Virginia, Wisconsin, and Wyoming. As of April 10, 2020, eight states were without waivers.6

With respect to Medicare, the Centers for Medicare & Medicaid Services (CMS) promptly exercised Section 1135 waiver authority to implement the following changes for Medicare beneficiaries as of March 6, 2020, and lasting for the duration of the COVID-19 PHE: 1) Medicare will pay for office, hospital, and other visits furnished via telehealth in all areas and all settings across the country, including in patients’ places of residence; 2) to the extent Medicare requires a prior established relationship between patient and practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during the PHE; and 3) the HHS secretary expressly authorized the use of telephones that have audio and video capabilities for furnishing of Medicare telehealth services during the PHE.7

CMS also exercised its Section 1135 authority by announcing that states have broad flexibility to cover telehealth through Medicaid, including the methods of communication (such as telephonic and video technology commonly available on smartphones and other devices). No federal approval is needed for state Medicaid programs to reimburse providers for telehealth services in the same manner or at the same rate that states pay for face-to-face services, and telemedicine may be used for certain face-to-face assessments. In addition, telehealth may be used for initiation of home health services.8

The Office of Inspector General

The HHS Office of Inspector General (OIG) will not subject physicians and practitioners to administrative sanctions for reducing or waiving cost-sharing obligations that federal healthcare program beneficiaries may owe for telehealth services during the COVID-19 PHE. Prior to the OIG’s action, practitioners who routinely reduced or waived beneficiary cost-sharing would have potentially implicated the federal antikickback statute, the civil monetary penalty and exclusion laws related to kickbacks, and the civil monetary penalty law prohibition on inducements to beneficiaries. The OIG’s action does not mandate that cost-sharing be waived or reduced; nor does it require billing Medicare.9

Controlled Substances Act

The Controlled Substances Act generally requires that prescriptions for controlled substances issued by means of the Internet (including telemedicine) must be predicated on an in-person medical evaluation. However, the Controlled Substances Act allows an exception to the requirement when the HHS Secretary has declared a PHE. Following the declaration by the HHS Secretary, the U.S. Department of Justice, Drug Enforcement Administration (DEA) issued guidance that DEA-registered practitioners may issue prescriptions for all schedule II through IV controlled substances to patients for whom they have not conducted an in-person medical evaluation when the following conditions are met: 1) the prescription is issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice; 2) the telemedicine communication is conducted using an audio-visual, real-time, two-way interactive communication system; and 3) the practitioner is acting in accordance with applicable federal and state law.10

HIPAA and Telehealth Technology

Under HIPAA, the HHS Office for Civil Rights (OCR) has issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 nationwide PHE.11

Under the Notification of Enforcement Discretion, the OCR will not impose penalties for HIPAA violations against healthcare providers that serve patients in good faith using nonpublic facing, remote audio or video communication technologies—such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype—during the COVID-19
nationwide PHE.12

However, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and, according to the OCR, should not be used by healthcare providers to provide telehealth services. The OCR cautioned that covered healthcare providers should deliver telehealth services through technology vendors that are HIPAA compliant and agree to enter into HIPAA business associate agreements. The OCR did not endorse any vendors or review their business associate agreements but did note that the following vendors represent that they provide HIPAA-compliant video communication products and offer to enter into a HIPAA business associate agreement:  Skype for Business/Microsoft Teams, Updox, VSee, Zoom for Healthcare,, Google G Suite Hangouts Meet, Cisco Webex Meetings/Webex Teams, Amazon Chime, GoToMeeting, and Spruce Health Care Messenger. Importantly, the OCR stated that it would not impose penalties against covered healthcare providers for the lack of a business associate agreement with video communication vendors or any other noncompliance with the HIPAA rules that relates to the good faith provision of telehealth services during the COVID-19 PHE.13

In related guidance, the OCR stated that the Notification of Enforcement Discretion applies to all healthcare providers covered under HIPAA and that provide telehealth services during the emergency. However, the OCR also stated that health insurance companies that pay for telehealth services are not covered by the Notification of Enforcement Discretion because they are not engaged in the provision of healthcare.14

The Notification of Enforcement Discretion applies to all HIPAA-covered healthcare providers, with no limitation on the patients they provide telehealth services, including those patients who receive Medicare or Medicaid benefits and those who do not. The OCR cautioned healthcare providers to conduct telehealth services in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. The OCR stated that providers should use private locations and patients should not receive telehealth services in public or semipublic settings, absent patient consent or exigent circumstances. According to the OCR, if telehealth cannot be provided in a private setting, covered healthcare providers should continue to implement reasonable safeguards to limit incidental uses or disclosures of protected health information, including using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing.15

All services that a covered healthcare provider, in the exercise of professional judgment, believes can be provided through telehealth in the given circumstances of the current emergency are covered by the Notification of Enforcement Discretion. Those services include the diagnosis and treatment of COVID-19–related conditions, taking patients’ temperature, diagnosis or treatment of non–COVID-19-related conditions, review of physical therapy practices, mental health counseling, and adjustment of prescriptions.16

Covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth services during the COVID-19 nationwide PHE. If electronic protected health information is intercepted during transmission, the OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the nationwide PHE.17


Actions taken by federal and state government authorities in response to the COVID-19 PHE continue to evolve, and the governmental responses are occurring in phases, sometimes with subsequent guidance issued to clarify previous waivers or guidance. Healthcare practitioners should check regularly with licensing boards and other government authorities to ensure that they remain up-to-date with the latest guidance during the COVID-19 pandemic.


1. See HHS, Determination that a Public Health Emergency Exists, January 31, 2020. Accessed April 1, 2020. 42 USCS § 247d(a)(1) and (2).
2. 42 U.S.C. 1395m(m)(4)(F); 42 USCS §254c-14(a)(7). HHS Office for Civil Rights, FAQs on Telehealth and HIPAA during the COVID-19 Nationwide Public Health Emergency, March 17, 2020. Accessed March 30, 2020. (“HIPAA Telehealth FAQs”); 42 USCS §1320b-5(a) and (b).
3. Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, Pub. L. 116–123 (March 6, 2020), Section 102(a)(1). Accessed April 13, 2020.  The Second Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, Pub. L. 116–127 (March 18, 2020) does not specifically address telehealth services.
4. The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”), Pub. L. 116-136 (March 27, 2020) (published as H.R. 748), Sections 3701, 3703, 3704 and 3706(2)(II). Accessed April 9, 2020.
5. President Donald J Trump’s Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak, March 13, 2020. Accessed April 9, 2020.
6. Alex M. Azar II, Waiver or Modification of Requirements Under Section 1135 of the Social Security Act, Mar. 13, 2020. Accessed April 9, 2020. See also CMS, 1135 Waivers. Accessed April 9, 2020. Federation of State Medical Boards, States Modifying In-State Licensure Requirements for Telehealth in Response to COVID-19. April 10, 2020. Accessed April 10, 2020.
7. 42 U.S.C. 1320b-5(g). Medicare Telemedicine Health Care Provider Fact Sheet, March 17, 2020.  Accessed April 9, 2020. 42 CFR §410.78. See also 1135 Waiver At A Glance,
8. COVID-19 Frequently Asked Questions (FAQs) for State Medicaid and Children’s Health Insurance Program (CHIP) Agencies, Last Updated April 2, 2020, FAQs C.2 and 9. Accessed April 9, 2020.9. OIG Policy Statement Regarding Physicians and Other Practitioners That Reduce or Waive Amounts Owed by Federal Health Care Program Beneficiaries for Telehealth Services During the 2019 Novel Coronavirus (COVID-19) Outbreak, March 17, 2020. Accessed March 30, 2020.
10. 21 USCS §829(e)(1) and (2)(A) -(B); 21 USCS §§301, et seq.; DEA Policy Telemedicine, March 16, 2020. Accessed April 2, 2020.
11. Notification of Enforcement Discretion. Accessed April 10, 2020.
12. Id. Non-public facing remote communication products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point. HIPAA Telehealth FAQs.
13. Id.
14. HIPAA Telehealth FAQ No. 2. Under HIPAA, a “health care provider” is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health care providers include, for example, physicians, nurses, clinics, hospitals, home health aides, therapists, other mental health professionals, dentists, pharmacists, laboratories, and any other person or entity that provides health care. According to OCR, a “health care provider” is a covered entity under HIPAA if it transmits any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard (e.g., billing insurance electronically). Id at No. 2.
15. Id.
At Nos. 3 and 7.
16. Id.17. Id. at No. 11.

The content contained in this article is for informational purposes only. The content is not intended to be a substitute for professional advice. Reliance on any information provided in this article is solely at your own risk.

To comment on this article, contact