Emergency & Pandemic Rules: [Self-Audit Checklist] (42 CFR § 410.78, Waiver Guidance)

Emergency and pandemic telehealth rules under 42 CFR § 410.78 and CMS waiver guidance transformed the way small practices delivered care during the COVID-19 public health emergency (PHE). These rules temporarily removed restrictions on patient location, expanded services, and permitted the use of consumer-grade platforms under OCR enforcement discretion. For small practices, these flexibilities ensured patient continuity, revenue stability, and compliance with federal mandates. Now, understanding which provisions remain in effect and how to revert to permanent rules is crucial. Proper adherence to 42 CFR § 410.78 and waiver guidance ensures practices avoid penalties, maintain reimbursement, and preserve patient trust in future emergencies.

The COVID-19 pandemic tested the resilience of small practices across the nation. CMS responded by activating emergency and waiver guidance under 42 CFR § 410.78, allowing expanded telehealth access and loosening originating site restrictions. While these changes provided lifelines during crisis periods, they also introduced compliance risks when waivers ended. For small healthcare providers, mastering emergency and pandemic rules means knowing how to pivot quickly when federal waivers are activated, while also preparing for strict audits once they expire. This article outlines exactly how small practices can remain compliant, operationally efficient, and audit-ready when responding to emergency telehealth provisions.

Understanding Emergency & Pandemic Rules Under 42 CFR § 410.78

42 CFR § 410.78 governs Medicare coverage of telehealth services, including definitions, patient eligibility, originating sites, and technology requirements. During emergencies, CMS issues waiver guidance under Section 1135 of the Social Security Act, temporarily expanding or suspending certain requirements. Key provisions during the COVID-19 PHE included:

• Expanded originating sites: Patients were permitted to receive telehealth at home, bypassing normal site restrictions.

• Service expansion: A wider range of CPT/HCPCS codes became eligible for telehealth coverage.

• Audio-only services: Behavioral health and counseling services were permitted via audio-only connections.

• Technology allowances: OCR allowed consumer platforms such as FaceTime and Skype without penalties, provided reasonable safeguards were used.

Understanding this legal framework ensures that practices can both benefit from flexibilities during emergencies and remain compliant when waivers expire. Without knowledge of these boundaries, providers risk overpayments, compliance violations, and OCR investigations.

The OCR’s Authority in Emergency & Pandemic Rules

OCR plays a critical role in enforcing HIPAA requirements, even during emergencies. During the PHE, OCR issued enforcement discretion guidance allowing the use of non-HIPAA-compliant technologies for telehealth. However, OCR maintained authority to investigate:

• Patient complaints alleging privacy violations during telehealth visits.

• Self-reported breeches tied to telehealth vendors or unsecured technologies.

• Random reviews following CMS audits where improper use of waiver flexibilities was suspected.

OCR enforcement authority means that practices must document not only CMS compliance, but also the safeguards implemented when using temporary platforms. Once waivers end, full HIPAA compliance resumes, making vendor contracts and BAAs mandatory again.

The following steps provide a roadmap for small practices navigating emergency telehealth rules under 42 CFR § 410.78 and waiver guidance:

Step 1: Track CMS Waiver Announcements

Monitor CMS and Federal Register updates for waiver activation or expiration notices. Maintain a log of applicable waivers for audit defense.

Step 2: Update Patient Consent Forms

Incorporate emergency telehealth language into consent forms, clarifying technology limitations, privacy risks, and alternatives.

Step 3: Document Patient Location and Modality

Record whether patients are at home, in a facility, or at another approved site. For audio-only visits, note clinical justification.

Step 4: Maintain Vendor Safeguards

Even when OCR discretion allows consumer platforms, document safeguards (such as advising patients on privacy) and transition back to HIPAA-compliant platforms when required.

Step 5: Audit Telehealth Claims

Review claims monthly to ensure services align with approved telehealth service lists and waiver allowances.

Step 6: Train Staff Rapidly

Conduct short emergency-oriented training sessions whenever CMS updates telehealth guidance, ensuring staff can implement changes quickly.

A small pediatric clinic embraced telehealth during the PHE, offering audio-only counseling visits without documenting why video was not feasible. After the PHE ended, CMS auditors requested documentation. The clinic had not updated its workflows to reflect waiver expirations and was required to repay $27,000 in Medicare claims.

In contrast, a rural behavioral health practice developed a compliance binder documenting waiver announcements, patient consent forms, and staff training logs. The practice also transitioned back to HIPAA-compliant platforms before OCR discretion expired. When audited, CMS found full compliance, and the practice avoided financial penalties while reinforcing its reputation for responsible care.

• Billing for expired waivers: Submitting claims under rules no longer in effect results in repayment demands.

• Failing to document audio-only justification: Without explanation, claims for audio-only visits may be denied.

• Using consumer platforms beyond OCR discretion: Leads to HIPAA violations and OCR investigations.

• Not updating staff: Staff unaware of waiver expiration can continue improper billing practices.

Avoiding these pitfalls ensures practices remain compliant during and after emergencies.

• Maintain a waiver tracker spreadsheet linking dates, services, and staff responsibilities.

• Embed patient location verification prompts into EHR templates.

• Store vendor BAAs and waiver policies in a shared compliance binder.

• Provide staff with a one-page waiver summary for quick reference.

• Conduct mock audits to verify readiness.

These practices reduce compliance risk and ensure small practices can pivot seamlessly during emergencies.

Building a Culture of Compliance Around Emergency & Pandemic Rules

Leadership must embed emergency telehealth compliance into the practice culture. This includes designating a compliance lead, updating internal policies promptly, and training staff on regulatory changes. Short refresher trainings, accessible compliance binders, and feedback loops strengthen preparedness. A compliance-driven culture ensures that emergency rules are implemented correctly while positioning the practice to return smoothly to permanent requirements.

Final Summary

Emergency and pandemic rules under 42 CFR § 410.78 and waiver guidance provided critical flexibilities during the COVID-19 PHE. For small practices, success lies in knowing which flexibilities apply, documenting compliance during their use, and reverting back when they expire. Proper application reduces risks of repayment, OCR scrutiny, and reputational harm.

Advisers

Small practices can strengthen compliance affordably by:

• Using CMS Telehealth Services List to verify covered services during emergencies.

• Accessing HHS Telehealth Resources for waiver-related consent templates.

• Consulting OCR HIPAA Guidance for safe vendor practices.

• Leveraging low-cost compliance tools such as shared spreadsheets, EHR smart phrases, and free OIG audit checklists to stay prepared.

Next Steps

• Within 30 days: Establish a waiver tracker and update consent forms.

• Within 60 days: Confirm vendor compliance and train staff on emergency protocols.

• Within 90 days: Conduct a mock audit of telehealth claims tied to waiver guidance.

• 42 CFR 410.78 — Medicare telehealth services

• CMS Telehealth Waiver Guidance

• HHS Telehealth Resources

• OCR HIPAA Guidance for Telehealth

• Federal Register — CMS Emergency Telehealth Rule Updates