Reporting SDoH G0136 in compliance

(updated 4/6/2024) – This is also posted on the website

2024 brought new HCPCS codes that Medicare, Medicare Advantage and some 3rd-party Commercial plans that they will now pay for. One of those codes is the G0136; that is the Social Determinate of Health (SDoH) assessment. It is not an add on code, but a stand-alone assessment.

G0136 is defined as “Administration of a standardized, evidence-based Social Determinants of Health Risk Assessment, 5-15 minutes, not more often than every 6 months.”

G0136 is not a screening tool that should be used on all Medicare patients at office visits or annual wellness visits.

It is an assessment, not a screening. The assessment is performed at a visit after the physician/NPP has seen the patient and decides that it is necessary. And, if problems are found, follow-up is required. See CMS 2024 Final Rule citations below.

From the Final Rule, they do expect that a practitioner who furnishes the risk assessment would “… at a minimum, refer the patient to relevant resources and take into account the results of the assessment in their medical decision making, or diagnosis and treatment plan for the visit.” p.358 Final Rule.

CMS also, was clear that this is not a screening, and it requires physician follow-up.

“We reiterate that the SDoH risk assessment code, HCPCS code G0136, when performed in conjunction with an E/M or behavioral health visit is not designed to be a screening, but rather tied to one or more known or suspected SDoH needs that may interfere with the practitioners’ diagnosis or treatment of the patient.” CMS Final Rule, goes on to say, “An SDOH risk assessment without appropriate follow-up for identified needs would serve little purpose and we continue to believe that follow-up or referral is an important aspect of following up on findings from an SDoH risk assessment.” p.346 Final Rule.

Here is my professional advice on reporting this new code

The only time you would bill Traditional Medicare and/or Medicare Advantage Plans for the SDoH assessment, G1036, is when an SDoH need is suspected, identified, and a plan of care is needed to address these concerns, and at least 5 minutes or greater is documented, as described in the code. Remember, the AWV guidelines were updated this year to include the SDoH considerations, so if there are “unmet needs” that need to be addressed, report it. The appropriate SDoH needs to be identified in the medical record documentation and reported with appropriate diagnosis codes from the ICD-10-CM categories, Z55-Z65. (linking Z13.9 encounter for screening would not be appropriate)

When the patient is presenting for a problem-oriented encounter, this assessment can be done on the day of an E/M service (99202-99215), not including code 99211. Since the patient is there for a problem-oriented visit, I would want to see that there is a reason linked to the problems addressed and the SDoH that needs attention. It would not be reported for every patient, as some just come in for that 3-6 month checkup, or annual medicine reconciliation, etc, and there are no SDoH factors to consider on that DOS. As with all medical services, it has to be medically necessary to capture it.

According to, during the Final Rule CY 2024 comment period, CMS was asked about the patient using an on-line portal rather an having the service done on the day of an E/M service and can that be considered the assessment. The short answer is No. Again, CMS believes that this is not a screening, but an assessment, and is to be used when the practitioner believes that the patient has unmet SDoH needs that are interfering with the diagnosis or treatment of an illness, so this needs to be an in-person assessment.

(source: )

CMS did not finalize the requirement that the assessment must be done on the same day as one of these visits, but it seems likely that is when it will be done. They do not believe it will be performed in advance, via a portal, because it is not a screening. It is performed as an assessment based on the practitioner’s evaluation of the patient’s situation.

Also, it is important to remember that G0136 will be subject to cost sharing, (co-pay and deductible) unless it is done at an Annual Wellness Visit (AWV), codes G0438-G0439. The published guidance, when performed on the same date as the AWV, states, that the G0136 will need a -33 modifier to waive the out of pocket for the patient.

Here is the reimbursement breakdown

  • Non-Facility total RVU is 0.57 = $18.39 (office)*
  • Facility total RVU is 0.18 = $5.99 (hospital, SNF, CAH, etc..)*

(* For services after 3/9/2024 the adjusted CY CF is $33.2875)

Some examples of SDoH factors (diagnoses) per

  • Illiteracy and low-level literacy —> Low health literacy may require different or more extensive efforts with patient education (i.e. all verbal instruction because patient can’t read written instructions)
  • Inadequate housing —> Patient may lack refrigeration in their home so can’t be prescribed cold storage medications, so you have to prescribe something else. May have mold infestation so have to intensify management of their asthma.
  • Extreme poverty or Low income —> May not be able to afford medications or other over-the-counter type therapies/devices.
  • Disappearance and death of family member —> May decide to defer addressing some medical issues to prioritize providing emotional support for bereavement.
  • Child in welfare custody. —> May have to spend extra time educating new foster parent on medical management or on how to provide support care for medical condition

Even though CMS does not require a specific form or tool, a link was offered on page 346 of the Final Rule. This link was offered for CMS’ Accountable Health Communities tool and is below in references and resources.

References and Cited Resources

OCR Issues a 90-day transition for HIPAA Compliant Telehealth Platforms

Under the PHE (Public Health Emergency), non-HIPAA compliant platforms (like smartphone applications FaceTime and Skype) were allowed as long as they were not public facing (i.e., TikTok, Vimeo, etc).

But with the PHE winding down in less than a month, the OCR (Office of Civil Rights) originally state that this flexibility would expire with the PHE. Meaning that the platform used for all Telehealth encounters has to be HIPAA protected.

The Office of Civil Rights, updated this statement in April and said they are “providing a 90-day transition period for healthcare providers to come into compliance with the HIPAA Rules regarding telehealth, according to the HHS OCR.”

The transition period will be in effect beginning on May 12 and will expire at 11:59 p.m. on August 9.

OCR said it would continue to exercise its enforcement discretion and not impose penalties on covered providers for noncompliance during the 90-day transition period. Once the transition period ends, patients will no longer be able to use their non-HIPAA smartphone apps for their Telehealth encounters. They will need to access HIPAA-secured platforms, and physician practices should make sure they are also posting this alert and change in plain sight for patients. They have been used to 3 years of relaxed rules, and these rules will be back to pre-PHE status by August. The time is now to start making the transition.

Other telehealth provisions expire at the end of 2023 and 2024. Look for our Medicare 1st and 2nd Quarter NSCHBC Webinars for more information on all statuses of the 1135 Waiver Flexibilities at

Why This Matters

HIPAA Enforcement Discretion is expiring with the end of the COVID-19 Public Health Emergency on May 11, according to the OCR notice on April 11.

OCR issued four Notifications of Enforcement Discretion that applied to certain violations of HIPAA rules during the PHE. These were related to community-based testing sites; using protected health information for public health; scheduling appointments for COVID-19 vaccinations; and telehealth.

The “Big Picture”

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, with the expiration of the COVID-19 public health emergency.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules of HIPAA would be applied to certain violations during the COVID-19 nationwide public health emergency.

These Notifications and the effective beginning and ending dates are:

  • Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency, effective from March 13, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency, effective from March 17, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, effective from April 7, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency, effective from December 11, 2020, to 11:59 pm May 11, 2023.

The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: – PDF.

On The Record

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the healthcare sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for healthcare providers to make any changes to their workflow operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”


(PHE) Public Health Emergency set to end on May 11th

An announcement on Monday, January 30th, by the OMB (Office of Management and Budget), and the White House, stated that they plan to end the COVID-19 national emergency and public health emergency on May 11th.

The end of the emergency declarations would signal a new chapter in the Biden administration’s response to the COVID pandemic. The (PHE) public health emergency was enacted by the Trump administration in 2020, in response to the COVID-19 pandemic and has been extended 12 times in the past almost, three years, by our former and current HHS Secretary.

The White House’s plan to end the public health declaration on May 11 came in a statement opposing two Republican House Bills that would end the emergency declarations sooner.

“This wind-down would align with the Administration’s previous commitments to give at least 60 days’ notice prior to termination of the PHE,” the White House said in a statement. In August 2022, CMS issued a statement on its website, encouraging providers and hospitals to start their processes for moving away from the public health emergency¹.

Why this matters

The end of the emergency will also mean states must start the laborious process of redetermining Medicaid eligibility for more than 3 million covered patients.

Congress’ end-of-year spending package gave clarity on another part of the public health emergency: the end of the continuous coverage requirement for Medicaid.

At the start of the pandemic, the federal government increased the matching rate for Medicaid payments to states, but only if the state would not drop anyone off Medicaid’s rolls for the duration of the public health emergency. The spending package, however, enabled states to start Medicaid eligibility redeterminations on April 1. This was necessary because many patients went back to work, were not eligible for Medicaid, and are sitting with dual coverage, which is very expensive for states when the patient has employer-sponsored health insurance already.

The White House statement went on to say, “Ending these emergency declarations in the manner contemplated by H.R. 382 and H.J. Res. 7 would have two highly significant impacts on our nation’s health system and government operation,” the statement said. “An abrupt end to the emergency declarations would create wide-ranging chaos and uncertainty throughout the health care system—for states, for hospitals and doctors’ offices, and, most importantly, for tens of millions of Americans.”

However, the statement did not take into account the 2022 Consolidated Appropriations Act and the 2023 Omnibus Bill that was signed into law on 12/29/2022, which will extend many of the 1135 Waiver Flexibility under the CARES Act, including Telehealth once the PHE ends.

The Omnibus Act, which Congress passed late last year, extended many Telehealth services and reimbursements under Medicare. One rule of note was the originating site requirements for patients receiving Telehealth services. They may still use their home as an “originating site” to receive Telehealth services. The rules on crossing State-lines however, have expired in many states and we encourage practices to research if their state will still allow their physician to practice medicine in a state where they are not licensed. Most won’t. The link below will help in this determination².

The current PHE was set to expire on April 11th, 2023. The original national emergency that was declared on March 13, 2020, was set to expire on March 1, the OMB said.

The announcement gives providers more than their promised 60-day notice of the end of the PHE and the termination of many of the waivers the Centers for Medicare and Medicaid Services put in place to ease restrictions on hospitals and other providers during the public health emergency.

The Biden administration plans to extend the national emergency declaration and the PHE to May 11th, and then end both emergencies on that date.

The OMB also announced on Monday that H.R. 497, which it opposes, would end the COVID-19 vaccine mandates for healthcare providers. Once the PHE ends, it is unclear if those mandates will be lifted, but it appears that they will be.

The larger picture

The PHE has been extended 12 times since it was first made in January 2020, effective March 1st, 2020.

The current PHE, extended by current Health and Human Services Secretary Xavier Becerra on January 11, was scheduled to end on April 11. The providers’ promised 60-day notice would have been on February 10th. This is an additional 30 days to that 60-day promise to work on the rollbacks.

What hasn’t been addressed in the post-PHE era

  • Audio-only Telehealth was extended through 2024 for some services, but “payment parity” was only extended through 2023.
  • New patients were allowed to be seen under the PHE, but once the PHE ends, only established patients will be able to receive Telehealth services, reverting to the original rule that there “..has to be an established patient relationship..” to engage in Telehealth services.
  • OCR (Office of Civil Rights) office announced after the OMNIBUS Bill was signed into law, that even though Telehealth will still be allowed through 2024, the non-HIPAA platforms that were allowed, (e.g. Skype and FaceTime), will no longer be an option. Patients and Providers will have to engage in HIPAA-secured platforms for the delivery of Telehealth.
  • Behavioral Health Services will continue to be allowed under Audio and Video, and Audio-only rules, with some restrictions and identifying modifiers.
  • The POS (Place of Service) can continue to be the POS that would have been appropriate if the patient was seen in person. However, POS 10 can be used when the patient’s originating site is their home. Reimbursement may be based on facility rates instead of non-facility rates.

There are more rules to discuss. I invite you to join me at the NAMAS 2023 Virtual Conference where the session of Telehealth – post-PHE will be presented by Healthcare Consultant and SME Terry Fletcher and Healthcare Attorney Brianna Santolli, Esq. April 5th and 6th, 2023. Also, this topic of post-PHE will be discussed in my Medicare 1st Quarter Webinar update with NSCHBC.

You can register here:



¹ Creating a Roadmap for the End of the COVID-19 Public Health Emergency | CMS



What’s changing with the new 2023 AMA CPT E/M update?

Physician practices have been trying to keep up with all of the recent changes that have been made to the Evaluation and Management Codes over the past 2 years in the office setting.

In 2021, AMA CPT® Editorial Panel approved and published new documentation guidelines for Office and Other Outpatient Evaluation and Management (E/M) CPT® codes (99202-99215, deleting 99201) and their code descriptors and documentation standards that directly addressed the continuing problem of administrative burden for physicians in nearly every specialty, across the country.

After these revisions were implemented, in 2021, it has been challenging for physicians to manage two sets of documentation rules, since the office visits were the only rules updated and the 1995/1997 documentation guidelines were still in place for all hospital E/M services.

However, announced this past week, is some good news. The CPT® Editorial Panel has now approved, for 2023, additional revisions to the rest of the E/M code section. These revisions seek to provide continuity across all the E/M sections, by allowing for the revisions implemented in the E/M office visit section in 2021 to extend to all other E/M sections beginning January 1st, 2023.

Medicare (CMS) also has a stake in this update and published their version of the new updates in their recent (July 7th) newsroom article.

Evaluation and Management (E/M) Visits

As part of the ongoing updates to E/M visits and related coding guidelines that are intended to reduce administrative burden, the AMA CPT® Editorial Panel approved revised coding and updated guidelines for Other E/M visits, effective January 1, 2023. Similar to the approach we finalized in the CY 2021 PFS final rule for office/outpatient E/M visit coding and documentation, we are proposing to adopt most of these changes in coding and documentation for Other E/M visits (which include hospital inpatient, hospital observation, emergency department, nursing facility, home or residence services, and cognitive impairment assessment) effective January 1, 2023. This revised coding and documentation framework would include CPT code definition changes (revisions to the Other E/M code descriptors), including:

  • New descriptor times (where relevant).
  • Revised interpretive guidelines for levels of medical decision making.
  • Choice of medical decision making or time to select code level (except for a few families like emergency department visits and cognitive impairment assessment, which are not timed services).
  • Eliminated use of history and exam to determine code level (instead there would be a requirement for a medically appropriate history and exam).

We are proposing to maintain the current billing policies that apply to the E/Ms while we consider potential revisions that might be necessary in future rulemaking. We are also proposing to create Medicare-specific coding for payment of Other E/M prolonged services, similar to what CMS adopted in CY 2021 for payment of Office/Outpatient prolonged services.

The following is also a summary of some “key” revisions to the E/M code descriptors and guidelines for 2023 will be.

  • Expect deletion of observation CPT® codes (99217-99220, 99224-99226) and merged into the existing hospital care CPT codes (99221-99223, 99221-99233, 99238-99239), with updated code descriptors.
  • Consultations will get a facelift, with the deletion of some confusing guidelines, including the definition of “transfer of care”.
  • In keeping with the level one CPT® code deletions of 2021, as MDM duplication, expect to see the deletion of lowest level office (99241) and inpatient (99251) consultation codes to align with four levels of MDM, in 2023.
  • Nursing facility services, along with home and residence services will also see revisions in line with similar documentation rules as the 2021 office visit revisions.
  • Home and residence services or what is also referred to as the domiciliary or rest home CPT® codes (99324-99340) were deleted and merged with the existing home visit CPT® codes (99341-99350).

The CPT® Editorial Panel worked to again, create revisions to the E/M code descriptors and guidelines that met their objective to decrease the administrative burden of excessive documentation whenever possible. We hope as physicians continue to embrace these changes, that it will decrease the need for audits, through the expansion of fundamental definitions of E/M encounters, and by focusing on patient care, and not the unnecessary and potential non-contributory work of cut and paste, templated items.

We will be presenting Educational Webinars OnDemand and Live on E/M updates to make sure everyone is up to speed on their updates prior to implementation, 1-1-2023. These will be scheduled this fall. Continue to visit our website for an updated educational calendar.

References and Resources

PHE Extended But Some Waivers Expired

The PHE was renewed another 90-days effective April 16th, 2022, but what 1135 waivers expired?

Renewal of De​​termination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective April 16, 2022, the ​January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021, July 19, 2021, October 15, 2021, and January 14, 2022, that a public health emergency exists and has existed since January 27, 2020, nationwide.

As expected, the COVID-19 PHE (Public Health Emergency) has been extended another 90-days, effective April 16th, 2022. This means that “most” waivers under the 1135 CARES Act of 2020 will continue to stay in effect through this period, through July 19th, while others are winding down.

CMS has already alerted providers that many nursing home compliance standards will phase out, while still protecting those residents.

During the PHE, CMS used a combination of emergency waivers, 1135 Regulations, and sub regulatory guidance to offer healthcare providers the flexibility needed to respond to the COVID-19 pandemic. CMS is ending specific waivers to two groups: One will end 30-days from the issuance of the new guidance and the other group will terminate 60-days from issuance.


The good news is that access to certain services, primarily Telehealth Coverage, continues not only through July, under the waiver 1135 flexibilities, but also with the Consolidated Appropriations Act of 2022 Congressional extension, it will continue to be covered for 151 days after the PHE ends. But what does that mean exactly and are there any variables that need to be addressed?

Telehealth with the patient using their home as the originating site, will continue to be allowed when billing for office visits when an audio and video connection exists.  Audio only visits billed with telephone CPT® codes, will continue for another 90-days as well.

However, there was a new PHE Fact sheet that was published on April 7th, (see link to this sheet below), that addressed some compliance issues that have not been addressed during the PHE, and this could be problematic for many physician practices.

Question 5: Can Medicare fee-for-service rules regarding physician State licensure be waived in an emergency?

The HHS Secretary has authorized 1135 waivers that allow CMS to waive the Medicare requirement that a physician or non-physician practitioner must be licensed in the State in which s/he is practicing for individuals for whom the following four conditions are met:

  1. The physician or non-physician practitioner must be enrolled as such in the Medicare program,
  2. The physician or non-physician practitioner must possess a valid license to practice in the State which relates to his or her Medicare enrollment,
  3. The physician or non-physician practitioner is furnishing services – whether in person or via telehealth – in a State in which the emergency is occurring in order to contribute to relief efforts in his or her professional capacity, and
  4. the physician or non-physician practitioner is not affirmatively excluded from practice in the State or any other State that is part of the 1135 emergency area.

In addition to the statutory limitations that apply to 1135-based licensure waivers, an 1135 waiver, when granted by CMS, does not have the effect of waiving State or local licensure requirements or any requirement specified by the State or a local government as a condition for waiving its licensure requirements. Those requirements would continue to apply unless waived by the State. Therefore, in order for the physician or non-physician practitioner to avail him or herself of the 1135 waiver under the conditions described above, the State also would have to waive its licensure requirements, either individually or categorically, for the type of practice for which the physician or non-physician practitioner is licensed in his or her home State.

Many practices made assumptions that if CMS and Medicare said you can do it, that this was a blanket waiver for all states and all payers. Not true.

Question 10: Does a PHE declaration waive or preempt state licensing requirements for healthcare providers?

No, a PHE declaration does not waive or preempt state licensing requirements. States determine whether and under what circumstances a non-Federal healthcare provider is authorized to provide services in the state without state licensure. As discussed in response #5 above, when the Secretary issues an 1135 waiver, the Secretary may waive Medicare, Medicaid or SCHIP requirements that physicians and other health care professionals hold licenses in the State in which they provide services. This would be for Medicare, Medicaid or SCHIP reimbursement purposes only, and would apply only if the physicians or other health care providers have an equivalent license from another State (and are not affirmatively barred from practice in any State in the emergency area).

Again, these clarifications were made on the PHE, not included in the COVID-19 FAQ Sheets. This may be confusing for some practices, as again assumptions made where not clear. I would strongly urge physicians who treated patients during the PHE, via Telehealth in other states, to check with their personal liability insurance coverage and their healthcare attorney to make sure no infractions of the rules were made. Also, any retired physicians that were allowed, again, under the COVID-19 waivers, to come out of retirement and see patients via Telehealth for Medicare, did your state allow this for private insurance and self-pay patients? Many state level PHE Waivers expired in 2021, and early 2022.

We strongly urge clients and physicians to check with their liability/malpractice insurance and their state legislature rules on Telehealth, and what is allowed for physicians continuing to cross state lines with virtual care. Protect yourself and your practice by being informed. If you need any assistance finding this information, please use our “Contact Us” tab to engage services.


Renewal of Determination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective October 18, 2021, the January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021 and July 19, 2021, that a public health emergency exists and has existed since January 27, 2020, nationwide.


Are you a HIPAA entity? The “Privacy Law” is probably not what you think.

If you have heard the acronym HIPAA thrown around a lot lately, you are probably thinking, “Do I know what HIPAA means?”. So many are throwing that term around in the falsehood that their legal or privacy rights are being violated in some way as more and more companies are requiring COVID-19 vaccines to secure employment, to stay employed, and now, let’s face it to enter certain public places or to travel.

Well first, let’s clear up the confusion.

The first thing you should know about HIPAA is that it’s HIPAA, not HIPPA. There is only one P, and that P doesn’t stand for “privacy.”

“People make up what that acronym stands for,” Deven McGraw, co-founder, and chief regulatory officer of the medical records platform Citizen and former deputy director for health information privacy at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), had stated in a recent interview.

“More often than not, [they think it’s] Health Information Privacy Protection Act: HIPPA. Yeah, that law does not exist.”, McGraw said.

But now, we see the media asking government officials like Georgia Rep., Marjorie Taylor Green, or Dallas Cowboy quarterback Dak Prescott, or New England Patriots quarterback Cam Newton, all ‘invoke” their HIPAA rights. Green even claimed, more than once, that just asking the question was somehow a “violation of her HIPAA rights”. Incorrect. As more and more employers and healthcare entities and even schools, mandate that employees and students get vaccinated, we need to make sure we are clear on not only what HIPAA is, but how it is applied.

So let’s get one big question out of the way first:

Is it a HIPAA violation for your employer to require vaccines?


Nor is it a HIPAA violation for them to ask for proof that you have been vaccinated, though many people seem to think that providing or even soliciting any sort of health information automatically becomes a HIPAA issue.

Employers do have to keep their employees’ vaccination statuses confidential, but that’s because of the Americans with Disabilities Act — not HIPAA, which, again, doesn’t apply here.

Why HIPAA is so misunderstood?

Both the misspelling and the widespread belief that HIPAA confers a strict set of privacy protections to any health data — and that everyone is subject to those laws — are common, although frustrating mistakes: Most patients only come across the term HIPAA, when signing the notice of privacy practices that the law mandates their health care providers have them sign. Plus, most people consider their health information to be very sensitive and assume their physicians and lawmakers have put the appropriate guardrails in place to keep it as private as possible. But HIPAA’s privacy rules are more limited than many may realize.

What is not well understood about HIPAA, is its limits. It’s very specifically a law that regulates information that is collected because a person is seeking health care.

Normally, the misunderstanding would be just an annoying misstep, but the pandemic has helped bring health privacy issues to the fore. As with many other things over the past year, we’ve moved many of our health interactions to the virtual space, and with the CMS 1135 Waiver flexibilities, under the C.A.R.E.S. Act, some of those interactions may not be covered or protected by HIPAA, but many people simply assume they are.

For example: If you are participating in a Telehealth encounter with your physician, and you are using a smartphone application, such as FaceTime or Skype, as allowed under the Waiver 1135 during the PHE, these platforms are not HIPAA protected, and your physician must inform you of that potential risk of breach of your personal health information before you choose to continue with your visit. This also has to be well documented in the encounter that you were informed, in the way of consent.

What has happened since about 2-3 months into the pandemic, is that it has become increasingly politicized, and many people have cited “HIPAA rights” as an excuse to get out of mask mandates and to declare vaccine passports and mandates to be illegal. Neither of these assertions is true, but that hasn’t stopped many people from making them — even though using them to avoid public safety measures could be harmful to everyone. People have such a high level of confidence believing misinformation, that it is out of control in the COVID era.

The perception that HIPAA is solely a health privacy law that everyone is subject to has become so common that there’s a massive amount of confusion about who and what HIPAA applies to; that the sheer volume of bad information about it is nearly insurmountable.

Social media platforms have been a problem when attempting to give credible information. Trying to get people to understand what a “Covered Entity” or “Business Associate” is in 280 characters is not an easy task. These platforms can write the words, but of course, people will believe what they want, and if it is contrary to what they want it to mean, then the platform doesn’t lend itself well to a considered nuanced discussion.

What HIPAA does

So what does that one P stand for if not privacy? Portability.

HIPAA is short for the Health Insurance Portability and Accountability Act. The 1996 law’s origins lie in creating federal standards for digitizing medical claims data and records (“accountability”) and allowing employees to have health insurance coverage, including for preexisting conditions, when they changed jobs (that’s the “portability”) — rights they did not have before the Affordable Care Act.

The privacy provision, that most of us associate HIPAA with today, wasn’t the focus of the law at the time. When Congress passed this law, they knew on some level, that there was going to be a massive digital transition to our health data in the future, and there might need to be privacy protections for that.

It took a few years to work those protections out, so HIPAA’s privacy rules weren’t issued until the end of 2000, and didn’t fully take effect until 2002. There was a recent update in 2013.

HIPAA only applies to what is called “Covered Entities.” Those are, essentially, health care providers (doctors, hospitals, and pharmacies, for instance), health insurers, and health care clearinghouses (which process medical data). It also covers their “business associates,” or contractors who have to handle medical records in some way to do work for those covered entities. Those parties are required to follow certain protocols to keep your protected health information secure and private, especially in the digital transfer of patient health information.

This is why healthcare providers or insurers might require patients to communicate with them through secure, HIPAA-compliant channels and patient portals, or take other steps to verify a patient’s identity before discussing protected health information with them. HIPAA’s privacy rule also requires that health care providers give the patient, a notice of their privacy practices,  and allow patients to access their medical records. A lot of HIPAA complaints from patients aren’t about privacy violations but about lack of access to medical records, which created the 21st Century Cures Act, to shift that focus to the OCR – Office of Civil Rights.

What HIPAA doesn’t do

It’s important to note that medical privacy didn’t begin with HIPAA, and it’s not the only health privacy law out there. The concept of doctor-patient confidentiality has existed for a long time — it’s part of the Hippocratic Oath (which is not a law) — and that trust is a necessary part of good medical care.

Patients’ have to feel a level of comfort that if they tell their physician some very private, and secret things, that they will be kept that way, and this allows a physician to give the patient the right care and diagnose them properly.

At the same time, many people freely give away their health information to all kinds of places and platforms and to people who have no real legal obligation to keep that information private or secure. With the internet and social media, this is happening more than ever.

Consider this, If you’re recording your steps on a Fitbit or you’re using a nutrition app, that’s not going to be covered by HIPAA. That is not a HIPAA entity and can use that information to market to you athletic shoes or equipment, supplements, etc.

That amazing massage therapist appointment you Tweeted about? Your vaccine card Instagram selfie? Your membership in a Facebook support group for people who have cancer? The period tracker app on your phone? The heart rate monitor on your wrist? Browsing WebMD for information about your recent COVID-19 diagnosis? The mail-order DNA test? The Uber trip you took to the emergency room? That is all health information, most of it is directly tied to you, and it can be sensitive, but none of it is covered by HIPAA (unless protected health information is shared with a covered entity, like a hospital or physician who ordered it, requested it, and asked you to deliver it that way. Even then, it is sketchy.

And then we’ve got the organizations that handle health data but aren’t covered by HIPAA, including most schools, law enforcement, life insurers, and even employers. They may be covered by other privacy laws, but HIPAA isn’t one of them.

A big hiccup to all this is that we are still under the Federal PHE, (some states have let their PHE expire). So, some things that are covered by HIPAA have been given a temporary enforcement waiver due to the pandemic. The Office of Civil Rights will not be enforcing its rule requiring health care providers to use HIPAA-compliant portals for telehealth (as long as patients were informed), nor will it require covered entities to use HIPAA-compliant systems to schedule vaccines — an issue that arose when some health services’ sign-up portals crashed and the services turned to the event scheduling platform, Eventbrite. Eventbrite is a good service for getting a lot of people signed up for an event in high demand, but it’s not HIPAA compliant, and posts events on a public forum.

The Office of Civil Rights (OCR) has stated that that enforcement discretion will remain in effect “until the Secretary of HHS determines that the public health emergency no longer exists, but again, patient’s need to be informed of this security risk, as outlined in the CURES Act and the CMS FAQ rules sheets.”

A Dose of Reality on HIPAA

Understand that if you go to Starbucks (not a covered entity) and refuse to wear a mask because you say you have a health condition, it is not a HIPAA violation if the barista asks you what that condition is, nor is it a HIPAA violation if Starbucks refuses service to you. They are a private business and not a HIPAA entity and can enforce any rules they want that they feel protects public safety and their business, as long as it is not discriminatory to a protected class (i.e race, religion, gender, disability, etc).

If your doctor were to walk into that Starbucks and broadcast your health information to anyone within earshot without your permission, that would be a HIPAA violation. It would also be a good time to consider changing doctors. Fortunately, HIPAA allows you to request your medical records and bring them to a new provider. And if someone else happened to record your doctor’s outburst and put it on TikTok, that’s not a HIPAA violation, even though it does include information that was once protected by HIPAA.

Additionally, someone asking if you’ve been vaccinated is not a HIPAA violation. It’s not a HIPAA violation for anyone to ask about any health condition you may have, though it might be considered rude. A business requiring you to show proof that you’ve been vaccinated before you can enter is not a HIPAA violation. Your employer requiring you to be vaccinated and show proof before you can go to the office is not a HIPAA violation. Schools requiring that students get certain vaccinations before they’re allowed to attend is not a HIPAA violation.

Oh, and vaccine passports — which the Biden administration has already said, it has no plans to mandate, but could change in the future – are also not HIPAA violations.

Look at certain health records apps that are all the rage now, like New York’s Excelsior Pass (ePass) to use it, you are voluntarily giving the app permission to access your health records, and, as the app’s disclaimer clearly states: “[T]he website is not provided to you by a health care provider, so, as such, you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA)).” Does anyone read the fine print anymore?

So HIPAA isn’t the all-inclusive health privacy law so many people assume it is, but that mass assumption suggests that such a law is both wanted and may be needed. HIPAA has a lot of gaps that a privacy law can and should fill. The pandemic has only made this more apparent.

What we need is for Congress to pass a comprehensive privacy law that sets limits on what the companies can use this data for, how long they can keep it, who they can disclose it to, and doesn’t put the burden of dealing with that on the individual.

Rep. Suzan DelBene (D-WA) is one of several lawmakers who have pushed for better health privacy protections during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill that was introduced in both houses of Congress in 2020 and reintroduced in early 2021. Its premise is that it would protect digital health data collected to stop the pandemic (for instance, by contact tracing apps or vaccine appointment booking tools) from being used for unrelated purposes by the government or private businesses.

HIPAA provides some protections for our health information, but technology has advanced must faster than our laws.

In the meantime, if you have any question whether or not you or another business or person is a “Covered Entity” and needs to comply with HIPAA standards, CMS has a tool to help health care providers and organizations determine whether or not they are considered a covered entity. The link is included below. Also, join me (Terry Fletcher), and Healthcare Attorney, and fellow NSCHBC member, Amanda Waesch for our October 12th, episode of the NSCHBC Edge podcast. We will be discussing this very topic and diving into the legalities of these mandates and how they will affect healthcare providers soon.

You can also listen to Terry each week on her CodeCast Podcast found on all downloadable platforms.


Renewal of Determination That A Public Health Emergency Exists

As a result of the continued consequences of the Coronavirus Disease 2019 (COVID-19) pandemic, on this date and after consultation with public health officials as necessary, I, Xavier Becerra, Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby renew, effective July 20, 2021, the January 31, 2020, determination by former Secretary Alex M. Azar II, that he previously renewed on April 21, 2020, July 23, 2020, October 2, 2020, and January 7, 2021, and that I renewed on April 15, 2021, that a public health emergency exists and has existed since January 27, 2020, nationwide.

Visit for more information.

Telehealth, Now and after PHE

As we are now well into 2021, and over 12-months from the beginning of the first announced PHE (public health emergency), the past year has been a whirlwind of medical practices having to pivot to a new delivery of care, Telemedicine. This platform also referred to as Telehealth, has seen an uptick of visits in the 80-90% range of overall patient outpatient encounters according to MGMA.

CMS and other Commercial payers adjusted their coverage policies to allow for these types of visits, virtual and remote care when the patient is in their home, and their care is delivered by an audio and video platform, or through a telephone call. The reason that the insurance payers have allowed Telehealth during the PHE, is to limit the spread of COVID-19 and to protect the most vulnerable to the virus, but still allowing for needed care.

Many pro-Telehealth entities and providers are advocating to continue with the current, PHE rules of Telemedicine delivery once the PHE end, but as the OIG stated in their 2021 Work Plan, assess the overall effectiveness of Telehealth and ensure it is not just a convenience over a medically necessary delivery of medicine.

With the 2021 Medicare PFS (Physician Fee Schedule) changes and the CMS C.A.R.E.S act Flexibility’s set to roll back once the PHE ends, what can you do now in your practice to prepare for potential changes in reimbursement and coverage?

The first thing to realize is, that the PHE is temporary.

Yes, the COVID-19 virus challenges may take us through the end of 2021 to slow, and as vaccines increase, there is a light at the end of the tunnel, but the PHE, in the truest of definitions, will end at some point. That will mean regulations will be rolled back; to what extent we are not completely sure, but we have the Social Security Act and CMS rules to follow and that cannot be changed unless an act of Congress does so and that takes months, even years to make happen.

In the CodeCast podcast, last November and December, I discussed this very question and how practices should handle the potential transition, once the PHE ends, also what is being audited since Telehealth services are now on the OIG Workplan for 2021. But the question, “Are you all-in on Telehealth or is this a stopgap during PHE?” has to be answered first.

How much is your practice willing to spend to make sure that your patients have equal access to an audio and video platform? Many patients still do not have the high-speed internet needed to engage in Telehealth services, and when the PHE ends, non-HIPAA protected platforms such as FaceTime and Skype will no longer be an option.

Also, one of the flexibility rules that will be rolled back to the original Telehealth regulation will be the “individual receiving the service must be located in a telehealth originating site”. This means, the patient’s home will not be an option, once the PHE ends unless the patient qualifies in an HPSA (Health Professional Shortage Area) area or is a mental health patient.

Under the CARES Act, Congress gave CMS the ability to waive the geographic location requirement during the COVID-19 PHE.

The current Public Health Emergency (PHE) is in effect through April 22, 2021, per for certain RPM services through December 31, 2021  (the year in which the PHE ends).

CMS, in the 2021 Final Rule, grouped the Telehealth services into three categories as we navigate this next year during the PHE:

  • Category 1: services/CPT/HCPCS codes that will become permanent after the PHE is over;
  • Category 2: services/CPT/HCPCS codes that will be removed when the PHE expires; and
  • Category 3: services/CPT/HCPCS codes added to the list, but only temporarily.

Category 3 codes, such as physical and occupational therapy, initial hospital care discharge day management, inpatient neonatal and Pediatric critical care, initial and subsequent may not remain after the PHE expires. CMS has also been clear that audio-only phone call codes, 99441-99442, will not be covered under the Telehealth provision, once the PHE ends, and created a new G-code G2252 as an 11-20-minute audio-only code cross-walked to code 99442 to allow for an encounter when the physician may not be able to have an encounter to visualize the patient.

We cannot foresee the future on where Telehealth is going, but as one recent CMS “Office Hours Calls” pointed out when asked about the patient’s home as a valid place of service (POS) continuing after the PHE ends, they stated “No”. Again, only for HRSA (rural Health Professional Shortage Area) or MSA (Metropolitan Statistical Area) patients, or for patients suffering from mental illness was that a possibility. That is a huge determining factor when a patient chooses to use Telehealth or not.

If they have to leave their house anyway to transport to an “approved” originating site, such as a hospital, physician’s office, or another medical facility, they might as well keep driving to their physician’s office if that is the only option. Commercial plans may allow more flexibility on this delivery of medicine since they are contract providers and can call their shots when it comes to coverage.

The healthcare consultants at NSCHBC want to advise our clients, and potential clients to do their due diligence, and determine if you will continue with offering Telehealth in the future in your practice, and what will be your business model for that offering? Most practices have said they will offer it, but it would be a good idea to survey your patients to find out what they would do if suddenly their home was not an approved site to receive Telehealth benefits.

Would they pay cash? Would they still engage? Or would they go back to the in-person care? A question for providers that have been using the PHE allowed smartphone device platforms such as FaceTime and Skype, “Will you invest in additional software to be HIPAA compliant?” These are questions to ask, as you prepare for another pivot in your delivery of medicine once the PHE ends.

Stay tuned to this ever-changing virtual delivery of medicine and how, after PHE, the reimbursement process will be handled and how it will affect continued payer coverage in medical practices.

You can listen to Terry expand on Telehealth in her weekly CodeCast Podcast available on all downloadable platforms.


References and Resources:

Urgent Telemedicine update from CMS and the White House

COVID-19 Regulatory Alert: Medicare Telehealth Services Restrictions Lifted

Today, the Centers for Medicare & Medicaid Services (CMS) issued guidance on Health and Human Services (HHS) Secretary Alex Azar’s waiver authority that broadens access to Medicare telehealth services. Effective March 6, 2020 and for the duration of the COVID-19 Public Health Emergency, CMS will:

  • Waive geographic restrictions, meaning patients can receive telehealth services in non-rural areas;
  • Waive originating site restrictions, meaning patients can receive telehealth services from their home;
  • Allow use of telephones that have audio and video-capabilities; stored information
  • Encounter has to be patient initiated
  • Allow reimbursement for any telehealth services “covered code”, including Office Visits (99201-99215), even if unrelated to COVID-19 diagnosis, screening, or treatment; and
  • Will not enforce the established patient relationship requirement, as determined by CPT Guidelines that a patient see a provider within the last three years.

The Medicare telemedicine healthcare provider fact sheet can be found at:

The Medicare FAQ on these telehealth waivers can be found at:

The Enforcement Discretion for telehealth remote communications during the COVID-19 notice can be found at:

Expect more updates on this in the days and weeks ahead!


How To Register

Please join Terry Fletcher BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, ACS-CA, SCP-CA, QMGC, QMCRC, QMPM for an on-demand webinar on how to implement these changes and more.

You can register for this session by clicking the button below and scrolling to the down to the register section.

Cost: $299.

Note: This webinar has been updated and replaced by Telehealth OnDemand Webinar: CMS and Other Payer Updates which you can register for at the same link below.

Register Now