Use of Telemedicine During a Public Health Emergency
DISCLAIMER
This information and compliance guidance has been gathered and interpreted by No World Borders from various resources, including CMS, and Medicare Administrative Contractors (MACs) and is provided for informational purposes. This should not be viewed as an official policy of CMS or the MACs. The provider is always responsible for determining and complying with applicable CMS, MAC and other payer requirements.
- The federal government declared a Section 1135 waiver which granted increased flexibility for the use of telehealth. The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) broadened the waiver authority under section 1135 of the Social Security Act; the Secretary has authorized additional telehealth waivers. CMS is waiving the requirements of section 1834(m)(4)(E) of the Act and 42 CFR § 410.78 (b)(2), which specify the types of practitioners that may bill for their services when furnished as Medicare telehealth services from the distant site. The waiver of these requirements expanded the types of health care professionals who can furnish distant-site telehealth services to include all those who are eligible to bill Medicare for their professional services. This allows healthcare professionals who were previously ineligible to furnish and bill for Medicare telehealth services, including physical therapists, occupational therapists, speech-language pathologists, and others, to receive payment for Medicare telehealth services. This waiver will end 151 days after the conclusion of the PHE.
- 418.204(d) Special coverage requirements provide,
(d) Use of technology in furnishing services during a Public Health Emergency. When a patient is receiving routine home care during a Public Health Emergency as defined in § 400.200 of this chapter, hospices may provide services via a telecommunications system if it is feasible and appropriate to do so to ensure that Medicare patients can continue receiving services that are reasonable and necessary for the palliation and management of a patient’s terminal illness and related conditions.
The use of such technology in furnishing services must be included in the plan of care, meet the requirements at § 418.56, and must be tied to the patient-specific needs as identified in the comprehensive assessment , and the plan of care must include a description of how the use of such technology will help to achieve the goals outlined on the plan of care.
Indeed, earlier in 2020 CMS issued a notice pursuant to the public health emergency [“Public Health Emergency (PHE) means the Public Health Emergency determined to exist nationwide as of January 27, 2020, by the Secretary pursuant to section 319 of the Public Health Security Act on January 31, 2020, as a result of confirmed cases of COVID-19, including any subsequent renewals.”]
“This interim final rule with comment period (IFC) gives individuals and entities that provide services to Medicare beneficiaries needed flexibilities to respond effectively to the serious public health threats posed by the spread of the 2019 Novel Coronavirus (COVID-19).
Recognizing the urgency of this situation, and understanding that some pre-existing Medicare payment rules may inhibit innovative uses of technology and capacity that might otherwise be effective in the efforts to mitigate the impact of the pandemic on Medicare beneficiaries and the American public, we are changing Medicare payment rules during the Public Health Emergency (PHE) for the COVID-19 pandemic so that physicians and other practitioners, home health and hospice providers, inpatient rehabilitation facilities, rural health clinics (RHCs), and federally qualified health centers (FQHCs) are allowed broad flexibilities to furnish services using remote communications technology to avoid exposure risks to health care providers, patients, and the community.
We are also altering the applicable payment policies to provide specimen collection fees for independent laboratories collecting specimens from beneficiaries who are homebound or inpatients (not in a hospital) for COVID-19 testing.
We are also expanding, on an interim basis, the list of destinations for which Medicare covers ambulance transports under Medicare Part B. In addition, we are making programmatic changes to the Medicare Diabetes Prevention Program (MDPP) and the Comprehensive Care for Joint Replacement (CJR) Model in light of the PHE, and program-specific requirements for the Quality Payment Program to avoid inadvertently creating incentives to place cost considerations above patient safety.
This IFC will modify the calculation of the 2021 and 2022 Part C and D Star Ratings to address the expected disruption to data collection and measure scores posed by the COVID-19 pandemic and also to avoid inadvertently creating incentives to place cost considerations above patient safety.
This rule also amends the Medicaid home health regulations to allow other licensed practitioners to order home health services, for the period of this PHE for the COVID-19 pandemic in accordance with state scope of practice laws. We are also modifying our under arrangements policy during the PHE for the COVID-19 pandemic so that hospitals are allowed broader flexibilities to furnish inpatient services, including routine services outside the hospital.”
Telehealth Facility Fees
HCPCS code Q3014 – Telehealth originating site facility fee may be used. No Medicare local coverage determinations (Medicare LCDs) were found for this code at the time this was published.
Data Privacy guidelines are essential. See our Data Privacy Capabilities for Healthcare
Related links: Telehealth bonuses, eligibility, modifiers and special provisions for substance use disorder prevention
Physician Bonuses
Medicare Telehealth Payment Eligibility Analyzer
New Modifier for Expanding the Use of Telehealth for Individuals with Stroke
Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment (SUPPORT) for Patients and Communities Act
Medical Billing Expert Witness
| CVE Number | Vulnerability Description | Prior NSA Cybersecurity Guidance (Some focused on other actors) |
|---|---|---|
| CVE-2019-11510 | In Pulse Secure VPNs,® 7 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords. | CSA – Mitigating Recent VPN Vulnerabilities U/OO/196888-19 CSA – Advisory - APT29 target COVID-19 research organizations U/OO/152680-20 |
| Affects: Pulse Connect Secure® (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. [1] | ||
| 1 T1190 and T1133 are MITRE® ATT&CK® techniques. MITRE and ATT&CK are registered trademarks of The MITRE Corporation. 2 Refer to CSI – Update and Upgrade Software Immediately U/OO/181147-19 3 Refer to CSI – Perform Out-of-Band Network Management U/OO/169570-20 4 Refer to ORN – Outdated Software and Protocols Continue to Result in Endpoint and Network Compromise U/OO/802041-16 5 Refer to CSI – Segment Networks and Deploy Application-Aware Defenses U/OO/184967-19 6 Refer to CSI – Continuously Hunt for Network Intrusions U/OO/181860-19 7 Pulse Secure VPN® is a registered trademark of Pulse Secure, LLC. | ||
| Additional Mitigations: Note that patching does not address credentials which may have been lost prior to patches being applied. NSA discourages the use of proprietary SSLVPN/TLSVPN protocols, which are not compliant with CNSS policy. Transition SSLVPN/TLSVPN deployments to either IETF standard-conformant TLS for single application use cases, or to IKE/IPsec VPNs, preferably using one of the evaluated TLS software applications or IPSec VPN gateways/clients listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL). | ||
| CVE-2020-5902 | In F5 BIG-IP® 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the Configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages. | CSI – Harden Network Devices U/OO/171339-16 CSI – Perform Out-of-Band Network Management U/OO/169570-20 |
| Affects: F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. [2] Additional Mitigations: By default, the TMUI is accessible via the management interface on both the external and internal interface. Best practice is to disable the external interface and configure an out-of-band management network. NSA released guidance for this in the Harden Network Devices CSI (U/OO/171339-16) and the Perform Out-of-Band Network Management CSI (U/OO/169570-20). | ||
| CVE-2019-19781 | An issue was discovered in Citrix® 9 Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 CSA – Advisory - APT29 target COVID-19 research organizations U/OO/152680-20 CSA – Mitigate CVE-2019-19781 U/OO/103100-20 |
| Affects: Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. [3] | ||
| CVE-2020-8193 CVE-2020-8195 CVE-2020-8196 | Improper access control and input validation, in Citrix® ADC and Citrix® Gateway and Citrix® SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Citrix ADC and Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18, ADC FIPS versions before 12.1-55.179 and SD-WAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7. [4] | ||
| CVE-2019-0708 | A remote code execution vulnerability exists within Remote Desktop Services®10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. | CSA – Patch Remote Desktop Services on Legacy Versions of Windows U/OO/152674-19 ORN – Outdated Software and Protocols Continue to Result in Endpoint and Network Compromise U/OO/802041-16 |
| Affects: Microsoft Windows®11 XP - 7, Microsoft Windows Server®12 2003 - 2008. Additional Mitigations: Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used by the Remote Desktop Protocol (RDP) and will block attempts to establish a connection. Disable Remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat. Enable Network Level Authentication. With NLA enabled, attackers would first have to authenticate to RDS in order to successfully exploit the vulnerability. NLA is available on the Windows® 7, Windows Server® 2008 and Windows Server® 2008 R2 operating systems. | ||
| CVE-2020-15505 | A remote code execution vulnerability in the MobileIron®13 mobile device management (MDM) | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| 8 F5 BIG-IP® is a registered trademark of F5 Networks, Inc. 9 Citrix® is a registered trademark of Citrix Systems, Inc. 10 Remote Desktop Services® is a registered trademark of Microsoft Corporation in the United States and/or other countries. 11 Windows OS® is a registered trademark of Microsoft Corporation in the United States and/or other countries. 12 Windows Server® is a registered trademark of Microsoft Corporation in the United States and/or other countries. 13 MobileIron® is a registered trademark of MobileIron, Inc. | ||
| software that allows remote attackers to execute arbitrary code via unspecified vectors. | ||
| Affects: MobileIron® Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier. [5] | ||
| CVE-2020-1350 | A remote code execution vulnerability exists in Windows® Domain Name System servers when they fail to properly handle requests. | CSA – Patch Critical Vulnerability in Windows Servers® using DNS Server Role U/OO/152726-20 |
| Affects: Microsoft Windows Server® 2008 - 2019 Additional Mitigations: Keep system and product updated and patched. In the event that an update cannot be applied immediately, the following workaround will prevent the vulnerability from being exploited, per Microsoft’s® recommendation. The workaround configures Windows® DNS servers to restrict the size of acceptable DNS message packets over TCP to 65,280 bytes (0xFF00). Applying the workaround requires a restart of the DNS service. Apply the patch as soon as possible and remove the workaround once the patch is applied. Launch an elevated PowerShell prompt: Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Name TcpReceivePacketSize -Type DWord -Value 0xFF00 | ||
| CVE-2020-1472 | An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Microsoft Windows Server® 2008 - 2019 Additional Mitigations: Install the patch and implement the additional instructions found in Microsoft article KB4557222. | ||
| CVE-2019-1040 | A tampering vulnerability exists in Microsoft Windows® when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 ORN – Outdated Software and Protocols Continue to Result in Endpoint and Network Compromise U/OO/802041-16 |
| Affects: Microsoft Windows® 7 - 10, Microsoft Windows Server® 2008 - 2019. Additional Mitigations: Limit the use of NTLM as much as possible and stop the use of NTLMv1. [6] [7] | ||
| CVE-2018-6789 | Sending a handcrafted message to Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Exim before 4.90.1. [8] | ||
| CVE-2020-0688 | A Microsoft Exchange® validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Microsoft Exchange Server® 2010 Service Pack 3 Update Rollup 29 and earlier, 2013 Cumulative Update 22 and earlier, 2016 Cumulative Update 13 and earlier and 2019 Cumulative Update 2 and earlier. [9] | ||
| CVE-2018-4939 | Certain Adobe ColdFusion®14 versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Adobe ColdFusion (2016 release) Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions. [10] | ||
| CVE-2015-4852 | The WLS Security component in Oracle WebLogic®15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java®16 object. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0. [11] | ||
| CVE-2020-2555 | A vulnerability exists in the Oracle® Coherence product of Oracle Fusion® Middleware. This easily exploitable | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| 14 Adobe ColdFusion® is a registered trademark of Adobe Systems, Inc. 15 Oracle WebLogic® is a registered trademark of Oracle Corporation. 16 Java® is a registered trademark of Oracle Corporation. | ||
| vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle® Coherence. | ||
| Affects: Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. [12] | ||
| CVE-2019-3396 | The Widget Connector macro in Atlassian Confluence®17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence® Server or Data Center instance via server-side template injection. | CSA – Patch Critical Vulnerability In Atlassian Confluence CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Atlassian Confluence before 6.6.12, 6.7.0 to before 6.12.3, 6.13.0 to before 6.13.3, and 6.14.0 to before 6.14.2. [13] | ||
| CVE-2019-11580 | Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Atlassian Crowd from 2.1.0 to before 3.0.5, 3.1.0 to before 3.1.6, 3.2.0 to before 3.2.8, 3.3.0 to before 3.3.5, and 3.4.0 to before 3.4.4. [14] | ||
| CVE-2020-10189 | Zoho ManageEngine®18 Desktop Central allows remote code execution because of deserialization of untrusted data. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Zoho ManageEngine Desktop Central before 10.0.479. [15] | ||
| CVE-2019-18935 | Progress Telerik®19 UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution. | CSI – Detect and Prevent Web Shell Malware U/OO/134094-20 |
| Affects: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023. [16] Additional Mitigations: NSA concurs with Tenable’s®20 recommendations: “This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)” [16] | ||
| CVE-2020-0601 | A spoofing vulnerability exists in the way Windows® CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source. | CSA – Patch Critical Cryptographic Vulnerability in Microsoft Windows® Clients and Servers U/OO/104201-20 |
| Affects: Microsoft Windows® 10, Server® 2016 - 2019. Additional Mitigations: In addition, the Windows® certificate utility (certutil) and the OpenSSL®21 utility can be used to inspect a certificate for explicitly defined or non-standard elliptic curve parameters if a suspect certificate is encountered. | ||
| CVE-2019-0803 | An elevation of privilege vulnerability exists in Windows® when the Win32k component fails to properly handle objects in memory. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Microsoft Windows® 7 - 10, Microsoft Windows Server® 2008 - 2019. | ||
| CVE-2017-6327 | The Symantec®22 Messaging Gateway can encounter a remote code execution issue. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Symantec Messaging Gateway before 10.6.3-267. [17] Additional Mitigations: Run under the principle of least privilege, where possible, to limit the impact of potential exploit. | ||
| CVE-2020-3118 | A vulnerability in the Cisco® Discovery Protocol implementation for Cisco IOS®23 XR Software could allow | CSI – Harden Network Devices U/OO/171339-16 |
| 17 Atlassian Confluence® is a registered trademark of Atlassian, Inc. 18 ManageEngine® is a registered trademark of Zoho Corporation. 19 Telerik UI® is a registered trademark of Telerik AD. 20 Tenable® is a registered trademark of Tenable, Inc. 21 OpenSSL® is a registered trademark of OpenSSL Software Foundation. 22 Symantec® is a registered trademark of Broadcom Corporation. 23 Cisco IOS® is a registered trademark of Cisco Systems, Inc. in the United States and other countries. | ||
| an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. | ||
| Affects: Cisco IOS XR 5.2.5, 6.5.2, 6.5.3, 6.6.25, 7.0.1. [18] Additional Mitigations: On many devices, Cisco® Discovery Protocol is enabled by default. NSA recommends disabling discovery protocols, per our Harden Network Devices CSI. To determine if CDP is enabled, use the “show running-config | include cdp” command. | ||
| CVE-2020-8515 | DrayTek Vigor®24 devices allow remote code execution as root (without authentication) via shell metacharacters. | CSI – Update and Upgrade Software Immediately U/OO/181147-19 |
| Affects: Vigor2960® 1.3.1_Beta, Vigor3900® 1.4.4_Beta, and Vigor300B® 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices. [19] Additional Mitigations: After patching the system, check to make sure that no additional admin users or remote access profiles have been added. Verify that no changes have been made to Access Control Lists. | ||
| NSA is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned, targeted, and exploited by Chinese state-sponsored cyber actors. NSA recommends that critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage. Additionally, due to the various systems and networks that could be impacted by the information in this product outside of these sectors, NSA recommends that the CVEs above be prioritized for action by all network defenders. |
