Chronic Care Management: Bill Remote Care Safely (42 CFR § 410.78(f)(4))

Chronic Care Management (CCM) is one of the most impactful ways small practices can extend care between visits, and telehealth tools make CCM scalable and patient-friendly. Under 42 CFR § 410.78(f), CMS controls how services are added to or removed from the Medicare telehealth list; however, CCM itself is an inherently non-face-to-face service that sits outside the statutory definition of “Medicare telehealth services.” That distinction matters: your practice can coordinate chronic care using remote communications without triggering the geographic or originating-site restrictions that govern traditional telehealth. To thrive in 2025, small practices must align CCM workflows with Medicare coverage and billing requirements, embed HIPAA safeguards, and keep a tight audit trail, especially as CMS continues to refine telehealth policy through the annual Physician Fee Schedule (PFS).

Small practices shoulder a disproportionate share of chronic disease management. Many of your patients require ongoing medication adjustments, labs, behavioral support, and social-needs coordination that cannot wait for the next in-person appointment. “Telehealth” tools secure messaging, video, portals, and phone are now routine, but not every remote service is legally “telehealth.” That nuance is crucial for compliance and reimbursement.

This guide explains how to operate CCM programs that rely on remote communication while staying aligned with Medicare’s rules anchored in 42 CFR § 410.78 and related CMS guidance. We translate federal policy into practical steps: who can furnish and bill CCM, what must be documented, how to protect privacy, and how to survive a payer review. The focus is deliberately tactical and budget-sensitive for small clinics that need reliability more than bells and whistles.

Understanding CCM via Telehealth Under 42 CFR § 410.78(f)

Where CCM fits in the telehealth framework

Section 410.78 governs “Telehealth services.” Subsection (f) sets the process CMS uses to add or delete codes on the Medicare telehealth list through PFS rulemaking. That process is the gatekeeper for services that are telehealth under Medicare law. By contrast, Chronic Care Management (CCM) services (for example, CPT® 99490, 99439, 99491, 99437, complex CCM codes, and certain care management families) are inherently non-face-to-face care coordination and therefore do not fall under the statutory telehealth definition. In practical terms, you can use phones or secure digital communications to furnish CCM without the geographic, originating-site, or video requirements Medicare applies to “telehealth services.”

This distinction can feel counterintuitive. You are using technology, staff, and remote communications every day, but for compliance, ask: “Is the code on the Medicare Telehealth Services List and subject to 42 CFR 410.78 rules, or is it a care management code that is separately payable under the PFS and not on the telehealth list?” For CCM, it is the latter. Still, § 410.78(f) matters because it shapes the broader telehealth environment you operate within and often drives documentation expectations auditors bring to any remote-care review.

Core CCM coverage concepts every small practice should know

• Patient eligibility. Traditional CCM requires two or more chronic conditions expected to last at least 12 months (or until the patient’s death) that place the patient at significant risk.

• Service elements. A comprehensive, patient-centered care plan, 24/7 access to urgent clinical support, systematic assessment and monitoring, medication reconciliation and management, and care coordination across settings.

• Time thresholds. A Typical CCM requires at least 20 minutes per calendar month of clinical staff time directed by a physician or other qualified health care professional (QHP). Complex CCM and principal care management (PCM) have different time and complexity thresholds.

• Supervision and team-based care. Clinical staff may furnish much of CCM incident to a billing practitioner under appropriate supervision; remote communications are permitted.

• Consent and enrollment. Patient consent (verbal or written, properly documented) is required before initiating CCM and must address cost sharing and service scope.

• No “double counting.” Time cannot be counted toward multiple time-based care management codes concurrently.

Compliance takeaway: CCM is remote-friendly and not constrained by § 410.78’s geographic or originating-site rules. However, documentation, consent, care-plan integrity, and accurate time accounting are non-negotiable.

Even though CCM is not “telehealth” under § 410.78, your technology and data flows are the same ones used for telehealth, so the HHS Office for Civil Rights (OCR) oversees privacy and security compliance under HIPAA. OCR’s authority spans how you collect, transmit, store, and access protected health information (PHI) in your CCM program, phone calls, secure messaging, remote platform portals, and EHR features.

Common OCR audit or investigation triggers in CCM contexts include:

• Patient complaints about disclosures, unauthorized access, or use of non-secure messaging for sensitive results.

• Self-reported breaches (for example, a misdirected care-plan PDF or unencrypted device loss).

• Random or targeted reviews linked to patterns (repeat mis-mailings, vendor lapses, or lack of Business Associate Agreements (BAAs)).

What OCR expects: risk analysis that covers remote workflows, signed BAAs with any vendor that accesses PHI (telephony, messaging, RPM platforms, analytics), role-based access, multifactor authentication, audit logging, and a documented incident-response routine. For CCM, staff often communicate after hours and from varied locations, so privacy controls must be simple, teachable, and enforced.

This section offers actionable steps tailored to CCM’s rules, while acknowledging that you will deliver much of CCM through telehealth-style communication.

1) Build your CCM Service Map

How to comply: Identify which CCM family you will furnish (standard vs. complex; consider related codes like PCM, behavioral health integration, social needs assessments if applicable). Define eligible practitioners to bill (e.g., physician, NP, PA) and clinical staff who will deliver components.
 Documentation: A one-page “CCM Services Grid” listing each code, requirements, time thresholds, supervision level, and who can contribute time. Keep it in your compliance binder and share with billing.

2) Capture Consent the Right Way

How to comply: Obtain and document patient consent before the first CCM month. The consent should state services included, cost sharing, how to opt out, and how care will be coordinated. Verbal consent is acceptable if fully documented in the record.
 Documentation: A standardized CCM consent template in your EHR (smart phrase or form). If verbal, include the date, staff name, and exact script elements covered.

3) Create a CCM Care-Plan Template

How to comply: Your care plan must be comprehensive and patient-centered: problems, goals, measurable targets, interventions, responsible team members, community resources, and updates when conditions or medications change.
 Documentation: A structured care-plan note type or EHR flow sheet. Attach or reference specialist plans and discharge summaries to show cross-setting coordination.

4) Timekeeping That Survives an Audit

How to comply: Track who did what, for how long, and for which condition(s). Staff time counts when delivering non-overlapping CCM elements directed by a billing practitioner. Exclude time already counted for other services (e.g., TCM, behavioral health integration) in the same month.
 Documentation: Use an EHR stopwatch tool or a simple CCM time ledger that logs date, staff, minutes, task description, and patient response or outcome. Summarize at month-end.

5) Tighten Supervisor and Team Workflows

How to comply: Define incident-to supervision (direct vs. general, as applicable in your state and CMS policy) and document practitioner involvement (review of care plans, availability during CCM activities, and monthly oversight).
 Documentation: An SOP stating supervision expectations, plus monthly attestations or note entries by the billing practitioner.

6) Hard-wire HIPAA Safeguards

How to comply: Execute BAAs with telecommunications, messaging, and platform vendors; enable MFA; restrict downloads on personal devices; and turn on audit logs. For audio-only outreach, follow reasonable safeguards (confirm identity, avoid speakerphone in shared settings).
 Documentation: A vendor inventory, last risk-analysis date, and a one-page security controls summary placed in your CCM binder.

7) Train in 45 Minutes

How to comply: Provide focused training: who qualifies, timekeeping rules, what “counts” as CCM, consent script, the care-plan template, and privacy expectations.
 Documentation: Slides or a one-pager, attendance log, and a 5-question quiz (keep results).

8) Run a 10-Chart Monthly Audit

How to comply: Sample 10 CCM charts each month. Check for consent on file, an active care plan, time ledger accuracy, non-overlapping time, and appropriate code selection.
 Documentation: A CCM Audit Log capturing defects found, corrective actions, and completion dates. Use trends to update training.

9) Close the Loop With Patients

How to comply: Communicate clearly about expected touchpoints, after-hours access, and cost sharing. Provide a handout that explains CCM and how to opt out.
 Documentation: Store the handout in the EHR’s patient-education library and note when it was given or sent.

Case Study

Background. A three-clinician primary care clinic launched CCM to reduce ER visits among older adults with diabetes, COPD, and CHF. They planned to use their EHR’s messaging and phone outreach.

Initial gaps. Consent was captured inconsistently; staff sometimes counted time spent scheduling an unrelated imaging test; and care plans varied widely in detail. Billing occasionally overlapped CCM and transitional care management (TCM) minutes in the same month. The practice had no BAA with its outsourced call center.

Interventions. The clinic created a CCM Services Grid, embedded a consent smart phrase, and activated a uniform care-plan template aligned to common chronic conditions. They stood up a time ledger inside the EHR, with dropdowns describing the specific CCM element performed. Legal counsel helped execute a BAA with the call center and limited its access to necessary data. A 10-chart monthly audit flagged double-counting and missing plan updates; supervisors corrected notes and retrained staff within a week.

Results. Within 90 days, denial rates fell to near zero, and the clinic documented a 22% reduction in 90-day readmissions for their high-risk cohort. During a payer probe, the clinic produced signed consents, precise time ledgers, and consistent care-plan updates, no recoupments were assessed. Staff satisfaction improved because everyone knew exactly what “counts” for CCM and how to record it.

Before scaling, avoid these frequent errors that jeopardize CCM integrity even when delivered through telehealth tools:

• Treating CCM as a “telehealth visit.” CCM is not a face-to-face encounter and does not require video; confusing it with telehealth leads to incorrect POS/modifier usage and avoidable denials.

• Missing or vague consent. Auditors look for a discoverable record of consent describing cost sharing, services, and opt-out rights; “patient agreed to program” isn’t enough.

• No comprehensive care plan. A problem list plus med list is not a care plan; you need goals, interventions, responsible team members, and follow-up actions.

• Double-counting minutes. Time applied to TCM, behavioral integration, or PCM cannot also be used for CCM in the same month; build software edits to catch overlaps.

• Vendor blind spots. Using call centers or texting tools without BAAs and access controls risks OCR scrutiny and potential breach reporting.

• Poor time descriptions. “10 minutes care coordination” is weak; specify the component (e.g., med reconciliation; social needs linkages; arranging community services) and the outcome.

A short pre-bill validation (consent, care plan present, ledger complete, no overlap) eliminates most of these problems.

Recommendations. Treat CCM as a remote-friendly, non-telehealth care management service governed by PFS rules. Use telehealth tools secure messaging, audio-only, and portals, but don’t impose telehealth restrictions that don’t apply. Standardize consent and care-plan templates; log time precisely; prevent double-counting; and maintain HIPAA rigor (BAAs, MFA, audit logs). Fortify your program with a 10-chart monthly audit and staff micro-training that targets the most common defects.

Advisers (affordable, practical).

• Leverage the EHR you already own. Build smart phrases for consent and care-plan sections; activate a timer or create a simple “CCM minutes” flow sheet.

• Use low-cost claim edits. Configure your practice-management system to flag missing consent codes/notes, overlapping time with TCM/BHI/PCM, and out-of-range minutes.

• Free federal resources. CMS’s MLN CCM booklet and Care Management pages provide authoritative checklists and FAQs you can copy into policy binders. OCR’s HIPAA guidance helps you tune privacy controls for audio-only and messaging.

• Simple compliance trackers. If you add software, choose a lightweight solution that stores BAAs, audit logs, and incident-response templates, and exports a “CCM Binder” on demand.

Next steps (30/60/90 days).

• 30 days: Publish your CCM Services Grid; deploy consent and care-plan templates; hold the 45-minute training.

• 60 days: Turn on time-logging; run your first 10-chart audit; complete BAAs and MFA for all CCM tools.

• 90 days: Tune templates based on audit findings; add claim edits; expand CCM to a second chronic-condition cohort if metrics are stable.

• 42 CFR § 410.78 — Telehealth services (e-CFR/LII)
  

• 42 CFR § 414.65 — Payment for telehealth services (e-CFR/LII)
  

• Care Management — CMS Physician Fee Schedule Resource Page
  

• Medicare Telehealth Services List — CMS
  

• HIPAA Guidance on Audio-Only and Remote Communications — HHS OCR