2.2.1 Technical Requirements
2.2.1.1 Clinical VTC Platforms
Clinical VTC platforms used
for telehealth services must have the appropriate verification, confidentiality,
and security parameters necessary to be properly utilized for this
purpose and must meet the requirements of the Health Insurance Portability
and Accountability Act (HIPAA) Privacy and Security Rules (collectively
“the HIPAA Rules”). For telehealth services provided outside the
50 United States (US), District of Columbia, and US Territories
including the Commonwealth of Puerto Rico, the Virgin Islands, Guam,
American Samoa, and the Commonwealth of the Northern Mariana Islands,
the TRICARE Overseas Program (TOP) contractor shall comply with
the privacy and security laws, regulations, and guidance of the
host nation. Video-chat applications (i.e., Skype, Facetime) should
not be used unless appropriate measures are taken to ensure the
application meets these requirements and that appropriate business
associates agreements (if necessary) are in place to utilize such applications
for telehealth.
2.2.1.2 Connectivity
Telehealth
services provided through personal computers or mobile devices that
use internet-based videoconferencing software programs shall provide services
at a bandwidth and with sufficient resolutions to ensure the quality
of the image or audio received is sufficient
for the type of telehealth services being delivered.
2.2.1.3 Privacy and Security
The
contractor
shall use the following guidelines
to
ensure the privacy and security of telehealth services:
• Providers of telehealth services
shall ensure audio and video transmissions used are secured using
point-to-point encryption that meets recognized standards.
• Providers of telehealth services
shall not use videoconference software
that allows multiple concurrent sessions to be opened by a single
user. While only one session may be open at a time, a provider may
include more than two sites/patients as participants in that session
with the consent of all participants (i.e., group psychotherapy).
• Protected Health Information
(PHI) and other confidential data shall only be backed up to or
stored on secure data storage locations that have been approved
for this purpose. Cloud services unable to achieve compliance shall
not be used for PHI or confidential data.
• For telehealth services provided
outside of the 50 US, District of Columbia, and US Territories including
the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Commonwealth of the Northern Mariana Islands, the TOP
contractor shall apply the privacy and security laws,
regulations and guidance of the host nation.
• The
Office of Civil Rights (OCR) will enforce the HIPAA
rules.
2.2.2 Asynchronous “Store and Forward”
Services
Asynchronous,
or “store and forward” telehealth services, under conventional health
care delivery, includes medical services that do not require face-to-face
or “hands-on” contact between patient and physician. For example,
TRICARE permits coverage of teleradiology, which is the most widely
used and reimbursed form of telehealth, as well as physician interpretation
of electrocardiogram and electroencephalogram readings that are
transmitted electronically. Other examples for use of telehealth
by using “store and forward” technology include telepathology and teledermatology.
2.2.3 Contractor Responsibilities
2.2.3.1 The
contractor shall instruct providers rendering telehealth services
to follow telehealth-specific regulatory, licensing, credentialing
and privileging, malpractice and insurance laws and rules for their
profession in both the jurisdiction (site) in which they are practicing
as well as the jurisdiction (site) where the patient is receiving
care, and shall ensure compliance as required by appropriate regulatory
and accrediting agencies. For services provided outside of the US,
District of Columbia, and US Territories, the TOP
contractor shall follow all applicable TOP and host
nation requirements including privacy and security laws, regulations
and guidance.
2.2.3.2 The contractor shall instruct
providers rendering telemedicine services to follow professional
discipline and national practice guidelines when practicing via
telehealth, and any modifications to applicable clinical practice
guidelines for the telehealth setting shall ensure that clinical
requirements specific to the discipline are maintained. In addition, the
contractor shall instruct the provider to determine arrangements
for handling emergency situations at
the outset of treatment to ensure consistency with established local
procedures. In particular, for mental health services, this shall include
processes for hospitalization or civil commitment within the jurisdiction
where the patient is located if necessary.
2.2.3.3 For
synchronous telehealth services, the contractor shall
instruct providers rendering telehealth services to implement means
for verification of provider and patient identity. For telehealth services
where the originating site is an authorized institutional provider,
the verification of both professional and patient identity may occur
at the host facility. For telehealth services where the originating
site does not have an immediately available health professional
(i.e., the patient’s home), the telehealth provider shall provide
the patient (or legal representative) with the provider’s qualifications,
licensure information, and, when applicable, registration number
(i.e., National Provider Identification (NPI)). The patient will provide
two-factor authentication.
2.2.3.4 For synchronous telehealth
services, the contractor shall instruct providers to
document provider and patient location in
the medical record as required for the appropriate payment of services. The
contractor shall instruct the provider to document elements
such as city/town, state, and ZIP code (or
country for overseas services).
2.2.3.5 The
contractor shall instruct providers to conduct transmission
and storage of data associated with asynchronous telehealth services over
a secure network and comply with HIPAA requirements.
The TOP contractor shall ensure compliance with the privacy and
security laws, regulations and guidance for the host nation.
2.2.3.6 The
contractor shall instruct providers to establish an alternate plan
for communicating with the patient (i.e., telephone) in the event
of a technological breakdown/failure. The contractor
shall instruct providers to develop the alternate plan at
the outset of treatment. The contractor shall instruct the
provider to only resume telemedicine services if all the technological
requirements of this policy are restored.
2.2.3.7 The
contractor shall instruct providers that HIPAA privacy and security
requirements for the use and disclosure of PHI apply to all telehealth
services. The TOP contractor shall instruct providers that host
nation’s privacy and security laws, regulations and guidance for
the use and disclosure of PHI apply to all telehealth services.
2.2.4 Conditions of Payment
2.2.4.1 For TRICARE payment to be authorized
for synchronous telehealth services between a provider and patient, the
contractor shall instruct the provider to use interactive
telecommunication systems, permitting real-time audio and video
communication between the TRICARE-authorized provider (i.e., distant
site) and the beneficiary (i.e., originating site).
2.2.4.2 As a condition of payment for
synchronous telehealth services, the contractor shall
instruct the provider that both the patient and healthcare
provider shall be present on the connection
and participating.
2.2.4.3 TRICARE allows payment for
asynchronous telehealth services in which, under conventional health
care delivery, do not require face-to-face or “hands-on” contact
between patient and provider. For TRICARE payment to be authorized
for asynchronous telehealth services, the contractor
shall instruct the consulting provider to render interpretive
or other clinical services to the referring
provider.