The following requirements,
criteria, and limitations are applicable to the provisions of medically
or psychologically necessary and appropriate care delivered via
telehealth.
2.2.1 Technical
Requirements
2.2.1.1 Clinical
VTC Platforms
Clinical
VTC platforms used for telehealth services must have the appropriate
verification, confidentiality, and security parameters necessary
to be properly utilized for this purpose and must meet the requirements
of the Health Insurance Portability and Accountability Act (HIPAA)
Privacy and Security Rules (collectively “the HIPAA Rules”). For
telehealth services provided outside the 50 United States (US),
District of Columbia, and US Territories including the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
Commonwealth of the Northern Mariana Islands, the TRICARE Overseas
Program (TOP) contractor shall comply with the privacy and security
laws, regulations, and guidance of the host nation. Video-chat applications
(i.e., Skype, Facetime) should not be used unless appropriate measures
are taken to ensure the application meets these requirements and
that appropriate business associates agreements (if necessary) are
in place to utilize such applications for telehealth.
2.2.1.2 Connectivity
Telehealth services provided
through personal computers or mobile devices that use internet-based
videoconferencing software programs must provide such services at
a bandwidth and with sufficient resolutions to ensure the quality
of the image and/or audio received is sufficient for the type of
telehealth services being delivered. Telehealth services shall not
be provided if this functional requirement is not met.
2.2.1.3 Privacy and Security
The
following guidelines shall be followed to ensure the privacy and
security of telehealth services:
• Providers of telehealth services
shall ensure audio and video transmissions used are secured using
point-to-point encryption that meets recognized standards.
• Providers of telehealth services
shall not utilize videoconference software that allows multiple
concurrent sessions to be opened by a single user. While only one session
may be open at a time, a provider may include more than two sites/patients as
participants in that session with the consent of all participants
(i.e., group psychotherapy).
• Protected Health Information
(PHI) and other confidential data shall only be backed up to or
stored on secure data storage locations that have been approved
for this purpose. Cloud services unable to achieve compliance shall
not be used for PHI or confidential data.
• For telehealth services provided
outside of the 50 US, District of Columbia, and US Territories including
the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Commonwealth of the Northern Mariana Islands, the privacy
and security laws, regulations and guidance of the host nation apply.
• Enforcement of the HIPAA Rules
is the responsibility of the Office of Civil Rights (OCR).
2.2.2 Asynchronous “Store and Forward”
Services
Asynchronous,
or “store and forward” telehealth services, under conventional health
care delivery, includes medical services that do not require face-to-face
or “hands-on” contact between patient and physician. For example,
TRICARE permits coverage of teleradiology, which is the most widely
used and reimbursed form of telehealth, as well as physician interpretation
of electrocardiogram and electroencephalogram readings that are
transmitted electronically. Other examples for use of telehealth
by using “store and forward” technology include telepathology and teledermatology.
2.2.3 Contractor Responsibilities
2.2.3.1 The
contractor shall instruct providers rendering telehealth services
to follow telehealth-specific regulatory, licensing, credentialing
and privileging, malpractice and insurance laws and rules for their
profession in both the jurisdiction (site) in which they are practicing
as well as the jurisdiction (site) where the patient is receiving
care, and shall ensure compliance as required by appropriate regulatory
and accrediting agencies. For services provided outside of the US,
District of Columbia, and US Territories, this includes all applicable
TOP and host nation requirements including privacy and security
laws, regulations and guidance.
2.2.3.2 The
contractor shall instruct providers rendering telemedicine services
to follow professional discipline and national practice guidelines
when practicing via telehealth, and any modifications to applicable
clinical practice guidelines for the telehealth setting shall ensure
that clinical requirements specific to the discipline are maintained.
In addition, arrangements for handling emergency situations should
be determined at the outset of treatment to ensure consistency with established
local procedures. In particular, for mental health services, this
should include processes for hospitalization or civil commitment
within the jurisdiction where the patient is located if necessary.
2.2.3.3 For
synchronous telehealth services, the contractors shall instruct
providers rendering telehealth services to implement means for verification
of provider and patient identity. For telehealth services where
the originating site is an authorized institutional provider, the
verification of both professional and patient identity may occur
at the host facility. For telehealth services where the originating
site does not have an immediately available health professional
(i.e., the patient’s home), the telehealth provider shall provide
the patient (or legal representative) with the provider’s qualifications,
licensure information, and, when applicable, registration number
(i.e., National Provider Identification (NPI)). The patient shall
provide two-factor authentication.
2.2.3.4 For
synchronous telehealth services, the contractor shall instruct providers
that provider and patient location must be documented in the medical
record as required for the appropriate payment of services. Documentation
will include elements such as city/town, state, and zip code (or country
for overseas services).
2.2.3.5 The contractor shall instruct
providers to ensure that transmission and storage of data associated
with asynchronous telehealth services is conducted over a secure
network and is compliant with HIPAA requirements. The TOP contractor
shall ensure compliance with the privacy and security laws, regulations
and guidance for the host nation.
2.2.3.6 The
contractor shall instruct providers to establish an alternate plan
for communicating with the patient (i.e., telephone) in the event
of a technological breakdown/failure. This should be developed at
the outset of treatment. In order for the telemedicine services
to resume, all technological requirements of this policy must be
restored.
2.2.3.7 The contractor shall instruct
providers that HIPAA privacy and security requirements for the use
and disclosure of PHI apply to all telehealth services. The TOP
contractor shall instruct providers that host nation’s privacy and
security laws, regulations and guidance for the use and disclosure
of PHI apply to all telehealth services.
2.2.4 Conditions of Payment
2.2.4.1 For TRICARE payment to be authorized
for synchronous telehealth services between a provider and patient,
interactive telecommunication systems, permitting real-time audio
and video communication between the TRICARE-authorized provider
(i.e., distant site) and the beneficiary (i.e., originating site)
must be used.
2.2.4.2 As a condition of payment for
synchronous telehealth services, both the patient and healthcare
provider must be present on the connection and participating.
2.2.4.3 TRICARE allows payment for
asynchronous telehealth services in which, under conventional health
care delivery, do not require face-to-face or “hands-on” contact
between patient and provider. For TRICARE payment to be authorized
for asynchronous telehealth services, interpretive or other clinical
services must be rendered by the consulting provider to the referring
provider.