Medicare Telehealth List: [Self-Audit Checklist] (42 CFR § 410.78(f)(3))

Telehealth offers small healthcare practices a way to expand patient access to essential care, particularly in underserved and rural communities. Under 42 CFR § 410.78(f)(3), CMS outlines the process for adding new services to the Medicare telehealth list on a category-two basis, requiring evidence that such services improve access without compromising quality of care. This provision matters because small practices must align their telehealth offerings with Medicare-approved services to ensure both compliance and reimbursement. By following these rules, practices can avoid penalties, strengthen patient trust, and improve continuity of care while using cost-effective digital solutions.

For small practices, the ability to offer telehealth is no longer optional, it is central to patient access and long-term survival. Patients increasingly expect virtual options, and CMS regulations define which services qualify for reimbursement. 42 CFR § 410.78(f)(3) is critical because it explains how services get added to Medicare’s telehealth list based on demonstrated clinical value and equivalency to in-person care. By aligning operations with this framework, practices can confidently expand telehealth programs while staying compliant. For everyday practice management, this means knowing what counts as an approved telehealth service, how to document properly, and how to use telehealth tools to increase access while reducing barriers.

Understanding Telehealth Access Under 42 CFR § 410.78(f)(3)

Section 410.78(f)(3) sets out how CMS evaluates category-two telehealth requests, those seeking to add new services based on evidence of clinical benefit. The regulation requires that services demonstrate equivalency to in-person care in both quality and safety. CMS considers clinical studies, peer-reviewed research, and evidence of improved outcomes when deciding whether a new service qualifies. For small practices, this rule underscores the importance of only billing for services that appear on the official Medicare telehealth list. Attempting to bill for services not approved under the list exposes practices to denials and compliance risk.

Understanding this legal framework is essential because coverage dictates access. If a service is on the telehealth list, practices can use it to improve patient reach, such as chronic condition check-ins or behavioral health consultations. If not, reimbursement may be denied. Awareness of § 410.78(f)(3) ensures practices expand access responsibly while protecting their financial stability.

While CMS governs which services qualify for reimbursement, the Office for Civil Rights (OCR) enforces privacy and security under HIPAA. Every telehealth encounter generates protected health information (PHI), and OCR ensures that remote communication platforms meet HIPAA standards. OCR investigations may be triggered by:

• Patient complaints about unauthorized disclosures or use of non-secure platforms.

• Data breaches from telehealth vendors lacking Business Associate Agreements (BAAs).

• Random reviews when OCR identifies patterns of noncompliance across providers.

Even though § 410.78(f)(3) is about service eligibility, small practices must remember that every telehealth session must comply with HIPAA privacy and security rules. Ignoring OCR’s oversight risks fines, reputational damage, and corrective action plans.

Implementing telehealth to improve access under § 410.78(f)(3) requires practical steps that small practices can achieve without large budgets:

1) Verify CMS Telehealth Service List

Check the Medicare Telehealth Services List quarterly to confirm which services your practice can bill. Document the date and list version in your compliance binder.

2) Align EHR and Scheduling Systems

Ensure your EHR is configured with the correct billing codes, place of service indicators, and modifiers for telehealth services. Mismatches between codes and the CMS list often cause denials.

3) Standardize Patient Consent

Obtain verbal or written consent before telehealth visits and document it in the medical record. Consent must explain the nature of telehealth and potential privacy risks.

4) Strengthen HIPAA Safeguards

Execute BAAs with all telehealth vendors, enable multifactor authentication, and ensure encryption is active during all telehealth encounters.

5) Train Staff and Clinicians

Provide a 30-minute refresher on the CMS telehealth list, billing compliance, and HIPAA safeguards. Training logs must be stored for audit readiness.

6) Audit Monthly

Sample 10 telehealth encounters per month to check for correct coding, documented consent, and compliance with CMS service eligibility.

By following these steps, small practices can safely expand telehealth while ensuring every encounter is compliant with Medicare rules.

A rural internal medicine clinic launched telehealth visits for chronic care patients. Initially, they billed for services not yet on CMS’s telehealth list, resulting in $18,000 in denied claims over three months. During a compliance review, the clinic discovered they had not verified the Medicare telehealth list updates under § 410.78(f)(3). After implementing a compliance checklist, retraining staff, and restricting telehealth billing to approved codes, the clinic saw denials fall by 95%. They also improved patient access by expanding approved services, reducing no-shows, and offering after-hours appointments. The reputational benefit was equally strong, patients trusted the clinic more because services were consistent and reliable.

Common Pitfalls to Avoid Under 42 CFR § 410.78(f)(3)

• Billing for non-approved services. Practices risk denials and potential fraud investigations if they submit claims for services not on the Medicare telehealth list.

• Failure to update systems. Outdated billing software or EHR templates can cause recurring claim errors.

• No patient consent documentation. Missing or vague consent notes are a top audit finding.

• Insecure telehealth platforms. Using consumer apps without BAAs or encryption exposes practices to OCR penalties.

Avoiding these pitfalls helps ensure services expand access legally and sustainably.

• Regularly monitor CMS updates and adjust telehealth offerings promptly.

• Embed consent scripts and telehealth documentation templates into your EHR.

• Use free CMS and OCR resources to train staff instead of costly consultants.

• Centralize vendor compliance by maintaining a one-page vendor risk matrix.

• Hold monthly staff huddles to review denied claims and identify telehealth workflow gaps.

These best practices make compliance practical even for small teams with limited resources.

Building a Culture of Compliance Around Telehealth Access

Compliance is strongest when it becomes part of daily workflow. Assign clear roles, such as a Telehealth Champion who monitors updates to the CMS list and educates peers. Integrate telehealth compliance into onboarding, with all new staff completing a training module within their first 30 days. Recognize team members who achieve zero-defect audits. Leadership should model compliance by regularly attending training and reinforcing the importance of using approved codes and secure systems. This culture ensures compliance is sustainable, not episodic.

Telehealth is a vital tool for improving patient access in small practices, but compliance under 42 CFR § 410.78(f)(3) is non-negotiable. Practices must stay current with the CMS telehealth list, obtain and document consent, use HIPAA-compliant platforms, and conduct routine audits. By embedding these practices, small clinics can expand access while protecting their reimbursement and reputation.

Advisers (affordable, practical):

• Use CMS’s Medicare Telehealth Services List as the authoritative resource for coding and billing.

• Adopt free OCR guidance on HIPAA for telehealth, including safeguards for audio-only calls.

• Implement lightweight compliance software or even a shared spreadsheet to track consents, BAAs, and audit findings.

• Leverage free webinars and toolkits from HHS and OIG to keep staff informed.

Next steps:

• Within 30 days, verify telehealth services offered align with CMS’s list.

• Within 60 days, update consent templates and vendor BAAs.

Within 90 days, launch a recurring 10-chart telehealth audit to maintain compliance.

• 42 CFR § 410.78 — Telehealth services (e-CFR/LII)
  

• Medicare Telehealth Services List — CMS
  

• HIPAA Guidance on Remote Communications — HHS OCR