2.2.1 Technical Requirements
2.2.1.1 Clinical VTC Platforms
Clinical VTC platforms used
for telehealth services must have the appropriate verification, confidentiality,
and security parameters necessary to be properly utilized for this
purpose and must meet the requirements of the Health Insurance Portability
and Accountability Act (HIPAA) Privacy and Security Rules (collectively
“the HIPAA Rules”). For telehealth services provided outside the
50 United States (US), District of Columbia, and US Territories
including the Commonwealth of Puerto Rico, the Virgin Islands, Guam,
American Samoa, and the Commonwealth of the Northern Mariana Islands,
the TRICARE Overseas Program (TOP) contractor shall comply with
the privacy and security laws, regulations, and guidance of the
host nation. Video-chat applications (i.e., Skype, Facetime) should
not be used unless appropriate measures are taken to ensure the
application meets these requirements and that appropriate business
associates agreements (if necessary) are in place to utilize such applications
for telehealth.
2.2.1.2 Connectivity
Telehealth services provided
through personal computers or mobile devices that use internet-based videoconferencing
software programs shall provide services
at a bandwidth and with sufficient resolutions to ensure the quality
of the image or audio received is sufficient
for the type of telehealth services being delivered.
2.2.1.3 Privacy and Security
The
contractor
shall use the following guidelines
to
ensure the privacy and security of telehealth services:
• Providers of telehealth services
shall ensure audio and video transmissions used are secured using point-to-point
encryption that meets recognized standards.
• Providers of telehealth services
shall not use videoconference software
that allows multiple concurrent sessions to be opened by a single
user. While only one session may be open at a time, a provider may
include more than two sites/patients as participants in that session
with the consent of all participants (i.e., group psychotherapy).
• Protected Health Information
(PHI) and other confidential data shall only be backed up to or
stored on secure data storage locations that have been approved
for this purpose. Cloud services unable to achieve compliance shall
not be used for PHI or confidential data.
• For telehealth services provided
outside of the 50 US, District of Columbia, and US Territories including
the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Commonwealth of the Northern Mariana Islands, the TOP
contractor shall apply the privacy and security laws,
regulations and guidance of the host nation.
• The
Office of Civil Rights (OCR) will enforce the HIPAA
rules.
2.2.2 Asynchronous “Store and Forward”
Services
Asynchronous,
or “store and forward” telehealth services, under conventional health
care delivery, includes medical services that do not require face-to-face
or “hands-on” contact between patient and physician. For example,
TRICARE permits coverage of teleradiology, which is the most widely
used and reimbursed form of telehealth, as well as physician interpretation
of electrocardiogram and electroencephalogram readings that are
transmitted electronically. Other examples for use of telehealth
by using “store and forward” technology include telepathology and
teledermatology.
2.2.3 Contractor
Responsibilities
2.2.3.1 The contractor shall instruct
providers rendering telehealth services to follow telehealth-specific
regulatory, licensing, credentialing and privileging, malpractice
and insurance laws and rules for their profession in both the jurisdiction
(site) in which they are practicing as well as the jurisdiction (site)
where the patient is receiving care, and shall ensure compliance
as required by appropriate regulatory and accrediting agencies.
For services provided outside of the US, District of Columbia, and US
Territories, the TOP contractor shall follow all
applicable TOP and host nation requirements including privacy and
security laws, regulations and guidance.
2.2.3.2 The contractor shall instruct
providers rendering telemedicine services to follow professional
discipline and national practice guidelines when practicing via
telehealth, and any modifications to applicable clinical practice
guidelines for the telehealth setting shall ensure that clinical
requirements specific to the discipline are maintained. In addition, the
contractor shall instruct the provider to determine arrangements
for handling emergency situations at
the outset of treatment to ensure consistency with established local
procedures. In particular, for mental health services, this shall include
processes for hospitalization or civil commitment within the jurisdiction
where the patient is located if necessary.
2.2.3.3 For synchronous telehealth
services, the contractor shall instruct
providers rendering telehealth services to implement means for verification
of provider and patient identity. For telehealth services where
the originating site is an authorized institutional provider, the
verification of both professional and patient identity may occur
at the host facility. For telehealth services where the originating
site does not have an immediately available health professional
(i.e., the patient’s home), the telehealth provider shall provide
the patient (or legal representative) with the provider’s qualifications,
licensure information, and, when applicable, registration number
(i.e., National Provider Identification (NPI)). The patient will provide
two-factor authentication.
2.2.3.4 For synchronous telehealth
services, the contractor shall instruct providers to
document provider and patient location in
the medical record as required for the appropriate payment of services. The
contractor shall instruct the provider to document elements
such as city/town, state, and ZIP code (or
country for overseas services).
2.2.3.5 The contractor shall instruct
providers to conduct transmission and
storage of data associated with asynchronous telehealth services over
a secure network and comply with HIPAA requirements.
The TOP contractor shall ensure compliance with the privacy and
security laws, regulations and guidance for the host nation.
2.2.3.6 The contractor shall instruct
providers to establish an alternate plan for communicating with
the patient (i.e., telephone) in the event of a technological breakdown/failure. The
contractor shall instruct providers to develop the alternate plan at
the outset of treatment. The contractor shall instruct the
provider to only resume telemedicine services if all the technological
requirements of this policy are restored.
2.2.3.7 The contractor shall instruct
providers that HIPAA privacy and security requirements for the use
and disclosure of PHI apply to all telehealth services. The TOP
contractor shall instruct providers that host nation’s privacy and
security laws, regulations and guidance for the use and disclosure
of PHI apply to all telehealth services.
2.2.4 Conditions of Payment
2.2.4.1 For TRICARE payment to be authorized
for synchronous telehealth services between a provider and patient, the
contractor shall instruct the provider to use interactive
telecommunication systems, permitting real-time audio and video
communication between the TRICARE-authorized provider (i.e., distant
site) and the beneficiary (i.e., originating site).
2.2.4.2 As a condition of payment for
synchronous telehealth services, the contractor shall
instruct the provider that both the patient and healthcare
provider shall be present on the connection
and participating.
2.2.4.3 TRICARE allows payment for
asynchronous telehealth services in which, under conventional health
care delivery, do not require face-to-face or “hands-on” contact
between patient and provider. For TRICARE payment to be authorized
for asynchronous telehealth services, the contractor
shall instruct the consulting provider to render interpretive
or other clinical services to the referring
provider.