How Surveyors Evaluate Telehealth Compliance in Small Practices (42 CFR § 410.78)

Telehealth surveyors evaluate whether small practices furnish and bill Medicare telehealth in accordance with 42 CFR § 410.78, which defines what counts as telehealth, who may furnish it, and the conditions for payment. Their review centers on documentation of modality (audio-video versus audio-only when permitted), patient location at the time of service, practitioner eligibility, coding (including place of service and modifiers), and adherence to the current Medicare Telehealth Services List. Because workflow, not intent, drives most findings, practices that hard-wire these requirements into scheduling, charting, and claim edits fare best. This article explains how surveyors think, what evidence they request, and how a small team can stay audit-ready with simple templates, checklists, and low-cost controls.

Telehealth is now core to everyday access, follow-ups, and chronic disease management in small clinics. Yet Medicare’s rules are precise: 42 CFR § 410.78 sets the boundaries for what is telehealth, which practitioners may furnish it, where the patient may be located, and how the service must be documented and billed. Surveyors, whether from a Medicare contractor, accreditor, or a state partner, assess whether your operations consistently meet those conditions. For small teams with limited budget, the key is to convert regulatory text into repeatable steps at scheduling, during the visit, and at claim submission. Done well, compliance becomes a habit that protects patients, revenue, and reputation.

Understanding How Surveyors Evaluate Telehealth Compliance Under 42 CFR § 410.78

42 CFR § 410.78 is the backbone of Medicare telehealth. Surveyors apply it in a practical sequence that mirrors the life of an encounter:

1) Modality meets definition

The regulation requires an interactive telecommunications system, generally two-way, real-time audio and video, unless a specific service is permitted audio-only. Surveyors look for explicit documentation of the modality used and, when audio-only is allowed and chosen, a clinically appropriate reason for its use. They also check that the service billed matches the modality documented (42 CFR § 410.78(a)(3)).

2) Practitioner eligibility at the distant site

Only certain distant-site practitioners may furnish and bill professional telehealth services. Surveyors confirm the clinician’s type and enrollment align with what was billed, and verify that supervision or incident-to rules were not misapplied to make an ineligible practitioner “appear” eligible (42 CFR § 410.78(b)(2)).

3) Patient location and originating site controls

The rule addresses originating sites and, where applicable, the facility fee (Q3014). Surveyors scan notes for the patient’s physical location at the time of service and verify that, if Q3014 was billed, the site qualified and documentation supports the fee (42 CFR § 410.78(b)(3)–(4)). They also ensure home-based visits are billed properly when allowed and are not inadvertently tied to facility fees.

4) Code eligibility for the date of service

CMS maintains a Medicare Telehealth Services List with codes eligible for telehealth and the modality allowed. Surveyors compare billed codes on the claim to the list that applied on the date of service, catching situations where a practice continued a pandemic-era habit after the policy changed (42 CFR § 410.78(f)). If the code was not on the list, or required video, but the chart shows audio-only, the finding is straightforward.

5) Claims details and internal consistency

Place of service (POS), modifiers (e.g., those indicating telehealth), and provider location details must be correct and consistent with the chart. Surveyors compare the note header, scheduling data, and claim line to confirm they tell the same story. They also review whether the time or complexity documentation supports the level billed, especially when time drives selection.

6) Policy governance and staff training

Surveyors assess whether the clinic has right-sized, current policies (e.g., a one-page telehealth coding crosswalk, a brief documentation standard), shows evidence of training, and follows a simple internal audit routine. If the practice can produce dated versions and short “what changed” memos tied to CMS updates, credibility rises quickly.

Why this legal framework matters: If you're scheduling prompts, note templates, and claim edits to enforce the elements above, your charts inherently “prove” compliance with § 410.78, minimizing denials and post-payment risk.

The OCR’s Authority in Telehealth Compliance

While § 410.78 governs coverage and payment, the HHS Office for Civil Rights (OCR) enforces HIPAA for all telehealth operations that create, receive, maintain, or transmit protected health information. Surveyors focused on § 410.78 do not issue HIPAA penalties, but they will note red flags that often trigger OCR scrutiny: missing Business Associate Agreements (BAAs) with video platforms, weak access controls, or recurring misdirected links and e-mails. OCR investigations typically arise from:

• Patient complaints about privacy, identity verification failures, or being overheard on speakerphone during visits.

• Self-reported breaches (e.g., lost unencrypted device with video files, link sent to the wrong patient).

• Pattern reviews when multiple events suggest training gaps or absent BAAs.

Small practices should integrate HIPAA safeguards into the same workflows they use to meet § 410.78. Doing so prevents parallel problems, payment denials and privacy incidents, from the same encounter.

Below are actionable steps tied directly to 42 CFR § 410.78. Each step states how to comply, what to document, and how to implement with limited resources.

1) Create a one-page Telehealth Code Crosswalk

How to comply: List your top telehealth CPT/HCPCS codes with on-list status, required modality (video vs audio-only when allowed), POS/modifiers, and any service-specific conditions.
What to document: Dated crosswalk with a short “what changed” memo whenever CMS updates occur.
Low-cost implementation: A locked spreadsheet with data validation; store it in a shared folder and print a copy near clinician workstations.

2) Standardize a telehealth note header

How to comply: Add mandatory fields: patient physical location at the time of the encounter, distant-site practitioner, modality used (and audio-only rationale if allowed and used), platform, and time if time drives code selection.
What to document: Template screenshot, a one-page quick guide for clinicians, and a monthly “missing fields” report.
Low-cost implementation: Use smart phrases or form templates; if your EHR cannot enforce required fields, attach a pre-visit checklist scanned into the chart.

3) Configure claim edits that block non-compliant submissions

How to comply: Turn on two edits: (a) prevent submission of codes not on your crosswalk for the date of service; (b) flag missing or incompatible POS/modifiers for telehealth.
What to document: Written billing SOP for telehealth, screenshots of edit settings, and a denial trend report.
Low-cost implementation: Most clearinghouses support front-end edits; a simple rule set prevents costly post-payment recoupments.

4) Control originating site and Q3014

How to comply: Use a yes/no checklist to confirm when Q3014 is eligible and record the patient’s location accordingly. Do not bill Q3014 for ineligible home-based visits.
What to document: Completed checklists and periodic spot checks.
Low-cost implementation: Add a one-click macro to your EHR that inserts the Q3014 eligibility statement into the note.

5) Verify practitioner eligibility and enrollment details

How to comply: Keep a roster of eligible distant-site practitioners and ensure enrollment/addresses align with billing. Confirm that supervision or incident-to rules are not used improperly to create eligibility.
What to document: Practitioner eligibility roster with effective dates and a quarterly review log.
Low-cost implementation: A shared, read-only roster with a reminder on the office manager’s calendar.

6) Establish privacy safeguards that align with telehealth workflows

How to comply: Maintain BAAs with telehealth vendors, enable multifactor authentication, restrict downloads, include telehealth in your HIPAA risk analysis, and keep a two-page incident response playbook.
What to document: Vendor inventory with BAA dates, security settings, risk analysis addendum, and incident logs.
Low-cost implementation: Use a vendor scorecard (one row per vendor) to track BAA status and security controls.

7) Train in 45 minutes; verify in five

How to comply: Provide concise annual training on § 410.78 basics: modality definitions, patient location documentation, POS/modifiers, Q3014, and HIPAA safeguards for telehealth. End with a five-question quiz.
What to document: Slides or a one-pager, attendance, quiz scores, and remediation notes.
Low-cost implementation: Reuse official fact sheets to build the training and schedule it during a standard staff meeting.

8) Run a 10-chart monthly audit

How to comply: Randomly sample recent telehealth encounters and check each required element: code eligibility for date of service, modality vs. code, patient location, POS/modifiers, Q3014 eligibility, and privacy checklist.
What to document: A simple audit log (chart, defect, fix, owner, close date) and a monthly one-page summary.
Low-cost implementation: Rotate the auditor role each month to spread knowledge and keep time demands low.

These steps hard-wire § 410.78 into daily operations so that your documentation and claims automatically align with what surveyors expect.

Background. A two-provider family medicine clinic relied heavily on virtual visits. A payer conducted a focused review after noticing a spike in audio-only claims.

Findings. Ten of 30 sampled charts billed codes requiring audio-video but documented audio-only without a permissible rationale. Seven charts lacked the patient’s location. Three claims billed Q3014 for home-based visits. Modifiers and POS were inconsistent across five claims. The clinic had no dated crosswalk or documented training specific to § 410.78.

Consequences. The payer issued an overpayment request and required a corrective action plan. The practice spent weeks reworking claims and notes, delaying cash flow. Staff reported uncertainty about “when audio-only is okay.”

Remediation. The clinic created a Telehealth Code Crosswalk with modality flags; added a mandatory note header including location and modality; enabled claim edits that prevented non-eligible codes from submission; adopted a Q3014 checklist; and delivered a 45-minute training with a short quiz. A 10-chart monthly audit began immediately.

Outcome. Denials dropped below 3% within one month. The payer accepted the corrective action plan, reduced the recoupment based on corrected claims, and closed the review. Staff satisfaction improved as documentation became faster and clearer.

Common Pitfalls to Avoid Under 42 CFR § 410.78

Before expanding your telehealth offerings, address these frequent errors that surveyors repeatedly cite. Each pitfall includes the practical consequence and how fixing it reduces risk under the regulation.

• Billing a service not on the telehealth list for the date of service. Consequence: denial and potential recoupment; Fix: a dated crosswalk and front-end edits stop ineligible codes from reaching payers.

• Missing documentation of patient location and modality. Consequence: inability to prove the encounter met telehealth conditions; Fix: a mandatory header guarantees the chart records the regulatory elements.

• Using audio-only where video is required. Consequence: non-payable claims and pattern-of-error exposure; Fix: an audio-only rationale field that appears only on codes where it is permitted.

• Improper Q3014 billing. Consequence: overpayment and corrective action plans; Fix: a quick yes/no checklist that enforces originating-site eligibility.

• Out-of-date policies and no training proof. Consequence: credibility problems and repeat defects; Fix: a one-page “what changed” memo with each CMS update and a 45-minute annual training with a retained roster.

Addressing these pitfalls first creates an immediate “floor” of compliance that materially lowers review risk.

• Put rules where work happens. Post the “Top 12 telehealth codes” with modality flags where clinicians document; keep the crosswalk within a click in the EHR.

• Gate note completion. Configure templates, so the note cannot be signed without completing location/modality fields; if the EHR cannot gate, use a pre-visit checklist the MA completes.

• Short, standard scripts. Provide two-line scripts for identity verification and audio-only rationale. Consistency speeds charting and improves defensibility.

• Micro-dashboards. Share denial rates and top two reasons at a 10-minute monthly huddle to sustain attention without overwhelming staff.

• Vendor scorecards. Track telehealth platforms for BAA status, MFA, export rights, and last access review; this doubles as HIPAA evidence and impresses surveyors.

• Document change control. Every crosswalk revision gets a date, version number, and a three-bullet “what changed” summary. That single page resolves many survey questions.

These practices are inexpensive, quick to implement, and directly map the regulation into predictable behavior.

Policy binds and templates are necessary; culture makes them stick. Assign three named owners: Clinical Lead (templates, modality), Revenue Cycle Lead (codes, POS/modifiers, Q3014), and Privacy/Security Lead (BAAs, MFA, incidents). Hold a 15-minute monthly huddle to review one metric (denials), one audit trend, and one “what changed” item. Incorporate telehealth orientation into week-one onboarding. Encourage near-miss reporting without blame, and close the loop publicly when fixes are implemented. Recognize “zero-defect months” to reinforce the habit of complete headers and correct claims.

Final recommendations. Treat 42 CFR § 410.78 as a checklist embedded in your systems: (1) a dated code crosswalk, (2) a mandatory note header that proves modality and patient location, (3) claim edits that enforce eligibility and correct POS/modifiers, (4) Q3014 controls, (5) practitioner eligibility verification, (6) HIPAA safeguards integrated into telehealth, (7) concise training with proof, and (8) a small but steady internal audit. These few artifacts, kept short and updated, make your practice survey-ready year-round.

Advisers (affordable, practical solutions).

• Lightweight compliance software or shared folders to version the crosswalk, store training rosters, and track audit defects to closure.

• Clearinghouse claim edits configured to block ineligible telehealth codes and missing modifiers/POS, often included at little additional cost.

• Free government resources for policy text and training slides so you do not reinvent the wheel. Aligning your templates with official language reduces ambiguity during reviews.

Next steps (30/60/90 days).

• 30 days: Publish your Telehealth Code Crosswalk; deploy the note header; run a pilot 10-chart audit and fix defects.

• 60 days: Turn on claim edits; implement the Q3014 checklist; execute any missing BAAs and enable MFA.

• 90 days: Deliver annual training with a short quiz; issue a “what changed” memo if CMS updates occur; aim for two consecutive clean audit cycles before expanding services.

• 42 CFR § 410.78 — Telehealth services (eCFR)

• Medicare Telehealth Services List — CMS
  

• HIPAA Guidance on Audio-Only Telehealth — HHS Office for Civil Rights