Telehealth Liability Risks: Avoid Corrective Action (42 CFR 410.78)

Telehealth can expand access and stabilize revenue for small practices, but it also creates liability if operations do not conform to 42 CFR § 410.78, Medicare’s telehealth regulation. The most frequent risks occur where law meets workflow: furnishing services that are not approved for telehealth on the date of service, using an unsupported modality, submitting claims with incorrect place of service or modifiers, and overlooking HIPAA safeguards. By translating § 410.78 into day-to-day procedures, eligibility checks, a standardized note header, claim-edit safety nets, and basic privacy controls, small teams can demonstrate compliance without expensive tools. This guide provides a practical blueprint to keep your virtual care program safe, audit-ready, and patient-centered.

For many small healthcare practices, telehealth is the backbone of appointment access, no-show reduction, and chronic care follow-up. What turns a helpful service into a liability is not the technology, it’s gaps in compliance with 42 CFR § 410.78, which defines what Medicare recognizes and pays as telehealth. Surveyors and payers expect you to furnish telehealth only for services on the Medicare Telehealth Services List for the date of service, to document the required modality and patient location, and to submit claims with accurate place of service (POS) and modifier usage. Your team also needs HIPAA-level privacy and security safeguards for remote encounters. This article converts the regulation into concrete controls that small clinics can put in place quickly and maintain with limited budgets.

Understanding Telehealth Liability Risks Under 42 CFR § 410.78

42 CFR § 410.78 sets the parameters for Medicare telehealth services. Understanding its core elements, and where they translate into everyday risk, is the foundation for preventing denials, recoupments, or corrective action plans.

What counts as a telehealth service

The regulation defines telehealth as services furnished via an interactive telecommunications system, generally two-way, real-time audio and video. Some codes may be eligible for audio-only when permitted. If your chart does not clearly show that the encounter met the defined modality for the billed code and date, the claim is vulnerable.

Who may furnish and bill

Only certain distant-site practitioners are eligible to furnish and bill professional telehealth services. When billing is submitted under ineligible practitioner types, or the enrollment/location is inconsistent with your claims, surveyors view this as a basic compliance failure.

Which services are payable, and when

CMS maintains a Medicare Telehealth Services List and updates it through processes described in § 410.78(f). If a service is not on the list for the date of service, or appears on the list with conditions you did not meet (for example, video required but audio-only used), the claim is at risk. The most common liability pattern arises when practices continue “pandemic-era habits” after policies change and forget to update templates and edits.

Originating site and Q3014

The rule also addresses originating sites and the separate facility fee Q3014. Billing Q3014 for an ineligible location, or failing to document the patient’s location at the time of service, can produce recoveries and signal broader program weakness.

Why this framework matters: In practical terms, § 410.78 is the yardstick surveyors use when they look at your charts and claims. If you're scheduling logic, templates, and edits enforce that same yardstick, your liability risk drops dramatically.

While § 410.78 governs coverage and payment, the HHS Office for Civil Rights (OCR) enforces HIPAA across all telehealth operations. That means PHI created or transmitted during virtual encounters must be protected through administrative, physical, and technical safeguards. In the telehealth context, OCR investigations commonly begin with:

• Patient complaints about privacy (for example, visits conducted on speakerphone where PHI can be overheard, or video links sent to the wrong person).

• Self-reported breaches, such as loss of an unencrypted device, misdirected discharge instructions, or exposed recordings/transcripts.

• Pattern or targeted reviews when repeated issues suggest missing Business Associate Agreements (BAAs), weak access controls, or insufficient workforce training.

Although OCR does not decide whether your telehealth code was payable, a HIPAA finding can multiply your overall program risk, require corrective actions, and disrupt workflows that affect billing. Integrating privacy safeguards into your telehealth policies therefore protects you on both fronts: payment integrity and patient trust.

The following actions translate § 410.78 and HIPAA expectations into lightweight controls a small team can maintain without expensive tools. Each step includes how to comply, what to document, and a low-budget implementation idea.

1) Name three owners and meet for 15 minutes monthly

How to comply: Assign a Telehealth Clinical Lead (templates and modality), a Revenue Cycle Lead (codes, POS, modifiers, Q3014), and a Privacy/Security Lead (BAAs, MFA, risk analysis, incidents). Hold a brief monthly huddle with a three-item agenda: denials, documentation defects, and rule updates.
 What to document: A one-page governance sheet listing owners and duties, plus short meeting notes and an action log.
 Low-budget idea: Use a shared note with checkboxes; it doubles as your “audit evidence.”

2) Build a dated Telehealth Code Crosswalk tied to § 410.78(f)

How to comply: Create a one-sheet table of your top telehealth codes with descriptor, on-list status for the current period, allowed modality (video vs audio-only), POS/modifiers, and Q3014 applicability. Update the sheet whenever CMS changes the telehealth list.
 What to document: The Crosswalk with version dates and a short “What changed” memo each time you update it.
 Low-budget idea: A locked spreadsheet with data validation prevents typos and accidental edits.

3) Standardize the telehealth chart header, so the note proves the rule

How to comply: Add mandatory fields to the telehealth template: patient physical location at encounter time, distant-site practitioner, modality (video vs audio-only, with a one-sentence reason if audio-only is allowed and used), platform, identity verification if performed, and time when it drives code selection.
 What to document: Template screenshots, a one-page quick guide for clinicians, and a monthly list of notes missing any header element.
 Low-budget idea: If your EHR cannot enforce required fields, use a brief pre-visit checklist completed by staff and scanned into the chart.

4) Turn on two claim edits to stop non-covered telehealth claims

How to comply: Configure edits to (a) block claims when the code is not on your Crosswalk for the service date, and (b) flag missing modifiers/POS required for telehealth.
 What to document: A short billing SOP for telehealth and a denial dashboard that lists top telehealth denial reasons.
 Low-budget idea: Most practice-management or clearinghouse systems support custom front-end edits at minimal cost.

5) Control the originating site facility fee (Q3014)

How to comply: If you bill Q3014, create a yes/no checklist aligned with § 410.78 to confirm the patient’s location qualifies. Require staff to record that location in the chart and in scheduling notes when Q3014 is considered.
 What to document: The Q3014 checklist and periodic spot-check results.
 Low-budget idea: Add the checklist as an EHR macro, so staff can complete it in seconds.

6) Close HIPAA gaps before they become findings

How to comply: Maintain an inventory of telehealth vendors, execute BAAs with each, enable multifactor authentication (MFA), encrypt data in transit, restrict downloads to approved devices, include telehealth in your risk analysis, and keep a two-page incident playbook for misdirected links, device loss, or wrong-patient communication.
 What to document: Vendor inventory and scorecards, signed BAAs, a risk-analysis addendum covering telehealth, incident logs, and brief tabletop-drill notes.
 Low-budget idea: Use a one-page vendor scorecard: BAA date, MFA status, who can export PHI, last access review.

7) Train in 45 minutes; verify in five

How to comply: Deliver a concise annual module to everyone who schedules, documents, or bills in telehealth. Cover: (1) what § 410.78 requires, (2) audio-only rules, (3) the note header elements, (4) POS/modifier basics and Q3014, and (5) privacy do’s/don’ts. End with a five-question quiz.
 What to document: Slides or a one-pager, attendance logs, quiz results, and remediation notes for anyone who needs a refresher.
 Low-budget idea: Reuse official fact sheets to build your slides and keep the session to under one hour.

8) Run a 10-chart monthly audit and close all defects in 10 business days

How to comply: Randomly sample 10 recent telehealth encounters and check: eligible code, modality documentation, patient location, POS/modifiers, Q3014 eligibility, and privacy checklist items. Assign owners for each defect and confirm closure within 10 business days.
 What to document: A simple audit log (chart, defect, fix, owner, close date) and a monthly one-page summary.
 Low-budget idea: Rotate the audit role, so the workload is light and knowledge spreads.

Case Study

Background. A two-provider internal medicine clinic used telehealth heavily for chronic disease management. Denials climbed after policy updates. A payer requested 30 records for review.

Findings. Six claims used codes that were not on the telehealth list for the dates billed. Five charts documented audio-only for services that required video. Seven charts lacked the patient’s location. The clinic billed Q3014 for home-based patients in four encounters. The video vendor had no BAA, and two misdirected invites had triggered patient complaints.

Consequences. The payer recommended a partial recoupment and required a corrective action plan. OCR sent an inquiry related to the patient complaints and the missing BAA. Staff were frustrated and uncertain about “the right way” to document virtual visits.

Remediation. The clinic published a dated Telehealth Code Crosswalk, turned on claim edits to stop unlisted codes and missing modifiers/POS, and launched a mandatory note header with a one-sentence audio-only rationale when allowed. They executed a BAA, enabled MFA, and created a two-page incident playbook. A 10-chart monthly audit began with defect tracking and closure deadlines.

Outcome. Within two months, denials fell below 3%. The payer reduced the recoupment after corrected claims were submitted for eligible services. OCR closed its inquiry after reviewing the BAA, risk-analysis addendum, and training logs. Staff reported higher confidence because expectations were written, short, and consistent.

Common Pitfalls to Avoid Under 42 CFR § 410.78

Before adding new telehealth services or scaling volume, review these frequent errors tied directly to the regulation. Each item includes the practical consequence and how fixing it reduces liability.

• Billing a service that is not on the telehealth list for that date. Consequence: denial and potential recoupment for a pattern of non-covered services. Fix: use a dated Crosswalk and claim edits so only eligible services pass to submission.

• Missing modality and patient location in the note. Consequence: you cannot prove the encounter met the telehealth definition; reviewers deny or down code. Fix: a mandatory header guarantees the chart shows the regulatory elements.

• Using audio-only where video is required. Consequence: non-payable claim and pattern-of-error risk. Fix: a two-line script documents the reason audio-only was permitted (only when CMS allows it).

• Improper Q3014 billing. Consequence: overpayment and compliance plan requirements. Fix: a quick eligibility checklist tied to § 410.78(b).

• No BAAs or weak access controls with telehealth vendors. Consequence: OCR exposure, remediation costs, and reputational damage. Fix: vendor scorecards, MFA, export restrictions, and risk-analysis updates.

• Failure to update templates and edits after § 410.78(f) changes. Consequence: systemic error rates and heightened audit scrutiny. Fix: a one-page “What changed” memo and a 10-minute staff huddle each time policy shifts.

These targeted fixes form a pre-submission check that removes most high-probability liabilities with minimal effort.

• One-page rules at the point of care. Post your “Top 12 telehealth codes” with modality notes and any audio-only allowances where clinicians document. Short, visible guidance gets used.

• Template gating. Where possible, block note sign-off until header fields are complete. If your EHR cannot enforce it, use a scanned pre-visit checklist that captures the same data.

• Micro-scripts for staff. Provide two lines for identity verification and two lines for audio-only rationale. Standard wording speeds documentation and improves consistency.

• Vendor scorecards. Track for each platform: BAA date, MFA status, who can export PHI, last access review, and incident contact. Produces instant “audit-ready” evidence.

• Denial mini-dashboard. Share the telehealth denial rate and top two reasons at a monthly 10-minute huddle. Visibility changes behavior without heavy oversight.

• Rotate the auditor. Spreading the monthly 10-chart review builds shared understanding and keeps the workload light.

Each best practice is designed to convert regulatory text into routine habits that protect both patients and revenue.

Policies and templates are only effective when the team uses them every day. Culture is the difference between “paper compliance” and reliable performance under pressure.

• Make ownership explicit. Give the Clinical, Revenue Cycle, and Privacy/Security Leads authority to change templates and edits quickly when rules shift.

• Onboard with intent. New hires complete the telehealth module in week one and receive the Crosswalk, the header quick guide, and the incident playbook.

• Normalize self-correction. Encourage staff to flag defects; fix, rebill if needed, and log the lesson. Reviewers look favorably on self-identified remediation.

• Recognize zero-defect months. Small rewards or public shout-outs reinforce careful documentation and accurate coding.

Keep a portable “Telehealth Binder.” Store Crosswalk versions, “What changed” memos, template screenshots, BAAs, risk-analysis addendum, audit logs, training records, and the incident playbook in a shared location. When documentation is requested, you can respond same day, and with confidence.

Recommendations. Reduce liability by aligning operations with 42 CFR § 410.78 through five pillars: governance (clear owners), documentation (a mandatory header that proves modality and location), coding and billing accuracy (including Q3014 control), HIPAA safeguards embedded in telehealth workflows, and change management enforced by claim edits and a monthly audit. Keep artifacts short, one-page Crosswalk, one-page “What changed,” two-page incident playbook, so staff actually use them.

Advisers (affordable, practical solutions).

• Use the EHR you already own. Add smart phrases for the header, build a simple report listing missing elements, and pin the “Top 12 telehealth codes” to clinician templates.

• Low-cost claim-edit rules. Configure your PM or clearinghouse to block non-listed codes and missing modifiers/POS; these edits pay for themselves in prevented denials.

• Lightweight compliance tracker. A simple tool or organized shared drive can store BAAs, training logs, audit results, and export a ready-to-share “Telehealth Binder.”

• Free government resources. CMS fact sheets and the Medicare Telehealth Services List clarify what’s payable; OCR guidance explains audio-only safeguards; OIG materials help small practices structure a right-sized compliance program.

Next steps (30/60/90 days).

• 30 days: Publish your Crosswalk and deploy the note header; hold the 45-minute training with a 5-question quiz.

• 60 days: Turn on claim edits; execute any pending BAAs and enable MFA; run your first 10-chart audit and close all defects.

• 90 days: Review denial trends; refine the audio-only script; issue a “What changed” memo if CMS updates occur; expand telehealth services only after two consecutive clean audit cycles.

• 42 CFR § 410.78 — Telehealth services (eCFR)

• Medicare Telehealth Services List — CMS

• HIPAA Guidance on Audio-Only Telehealth — HHS Office for Civil Rights