Telehealth Compliance Manual: The 5 Core Policies (42 CFR § 410.78)

Small practices can deliver safe, reimbursable virtual care by anchoring their telehealth programs to 42 CFR § 410.78, Medicare’s telehealth regulation. Surveyors and payers evaluate whether you followed five foundational policies: (1) service and practitioner eligibility aligned to Medicare’s telehealth rules; (2) documentation that proves telehealth occurred as defined by the regulation; (3) correct coding, place of service, and modifiers, including rules for the originating site facility fee; (4) HIPAA privacy and security safeguards integrated into telehealth workflows; and (5) a change-management and audit process to keep up with CMS updates under § 410.78(f). Establishing and enforcing these five policies reduces denials, prevents recoupments, and strengthens patient trust in your virtual care program.

Telehealth is now everyday medicine, not a temporary workaround. For a small clinic, success depends on the ability to scale virtual visits while staying inside Medicare’s rules. 42 CFR § 410.78 defines what Medicare considers a telehealth service, who may furnish and bill it, the required technology (interactive telecommunications system), and how new services are added to the telehealth list through annual CMS rulemaking. Translating these requirements into clear, written policies makes staff behavior consistent, documentation reliable, and billing defensible. This guide outlines the five core policies every small practice should adopt and maintain in its telehealth compliance manual, with concrete actions, tools, and a realistic case study to show how each policy performs under scrutiny.

Understanding “The 5 Core Policies” Under 42 CFR § 410.78

42 CFR § 410.78 is the governing regulation for Medicare telehealth services. At its core, it does four things relevant to a small practice:

1. Defines telehealth services and the requirement to use an interactive telecommunications system (generally, two-way, real-time audio and video), with limited circumstances where audio-only is permitted for specified services.

2. Identifies distant-site practitioners who are eligible to furnish and bill telehealth professional services.

3. Describes originating-site concepts and the separate originating site facility fee (Q3014) that eligible sites may bill.

4. Establishes the process under § 410.78(f) for CMS to add, delete, or revise codes on the Medicare Telehealth Services List, including category-based criteria for adding services.

Your compliance manual should distill these legal requirements into five operational policies that staff can execute every day:

• Policy 1: Service & Practitioner Eligibility. Only furnish/bill telehealth services that are on the CMS telehealth list for the date of service, and only by eligible distant-site practitioners.

• Policy 2: Documentation & Modality. Every telehealth note must prove the regulatory elements: patient location, distant-site practitioner, technology/modality (video or audio-only when allowed), platform used, and time when relevant to code selection.

• Policy 3: Coding, POS, Modifiers & Q3014. Claims must reflect correct place of service and modifier guidance for telehealth; originating-site billing follows Q3014 rules.

• Policy 4: HIPAA Privacy & Security for Telehealth. Telehealth platforms and workflows must implement reasonable safeguards, Business Associate Agreements (BAAs), access controls, and incident response.

• Policy 5: Change Management & Internal Audit. The practice monitors CMS updates under § 410.78(f), updates templates and crosswalks, and runs a recurring chart audit with corrective actions.

Understanding and enforcing this framework is essential to reduce risks, avoid payment denials, and remain audit-ready.

While CMS and § 410.78 define coverage and payment, the HHS Office for Civil Rights (OCR) enforces HIPAA privacy, security, and breach notification across all telehealth workflows. OCR can open investigations based on:

• Patient complaints (e.g., a video link sent to the wrong person, calls conducted without privacy).

• Self-reported breaches (lost devices, misdirected messages, exposed recordings/transcripts).

• Targeted or random reviews when patterns of noncompliance emerge (e.g., common vendor gaps or missing BAAs).

Your compliance manual’s five policies must explicitly integrate HIPAA expectations: vendor vetting and BAAs; role-based access and multifactor authentication; encryption for data in transit; minimal necessary use; identity verification when appropriate; and a step-by-step incident-response playbook. When OCR expectations are baked into daily telehealth operations, your clinic can demonstrate both regulatory alignment and a strong culture of safeguarding patient information.

This guide converts the five core policies into practical steps that a lean team can implement quickly.

Policy 1, Service & Practitioner Eligibility

How to comply.

1. Build a Telehealth Code Crosswalk listing your top virtual services: code, description, whether audio-only is allowed, required modifiers/POS, and effective dates. 2) Maintain a distant-site practitioner roster with NPIs, taxonomy, and enrollment addresses. 3) Configure scheduling to tag telehealth visits by code family to reduce miscoding risk.

Documents to keep.

• Dated Telehealth Code Crosswalk (retain prior versions).

• Practitioner eligibility roster (updated at onboarding and quarterly).

• Scheduling SOP linking visit types to codes.

Low-budget implementation tip.
 Use a shared spreadsheet with data validation for codes/modifiers; lock editing to the compliance lead.

Policy 2, Documentation & Modality

How to comply.

1. Deploy a mandatory telehealth not header with required fields: patient physical location at time of service; distant-site practitioner; modality (video vs audio-only with brief rationale if permitted); platform; identity verification (if applicable); and start/stop or total time when relevant. 2) For audio-only, include a two-line script documenting why video was unavailable or clinically inappropriate and the patient’s agreement to proceed.

Documents to keep.

• Screenshot/printout of the note template.

• One-page “How to document telehealth” quick guide for clinicians.

• Monthly report listing any telehealth encounters missing header fields.

Low-budget implementation tip.
 If your EHR cannot gate note completion, use a pre-visit checklist completed by staff and scanned into the chart, so the essentials are recorded before the provider connects.

Policy 3, Coding, POS, Modifiers & Q3014

How to comply.

1. Configure claim edits to block telehealth codes not on the CMS list for the date of service and to flag missing modifiers/POS. 2) Train staff on when the originating site facility fee (Q3014) is valid and how to capture the patient’s location and site eligibility. 3) Reconcile denials monthly, and add rules to stop repeat errors.

Documents to keep.

• Written billing SOP for telehealth (POS/modifier rules, payer nuances).

• Q3014 eligibility checklist and workflow.

• Denial tracking dashboard (top telehealth denial reasons).

Low-budget implementation tip.
 Most clearinghouses support customizable edits; turn on an edit that halts claims with codes not on your Crosswalk or missing the telehealth modifier.

Policy 4, HIPAA Privacy & Security for Telehealth

How to comply.

1. Execute BAAs with all vendors that access PHI (video, messaging, transcription, call centers). 2) Enable MFA, encrypt data in transit, and restrict exports to approved devices. 3) Include telehealth in your HIPAA risk analysis and maintain an incident-response playbook for misdirected links, platform outages, device loss, and privacy complaints. 4) Provide role-based training on telehealth privacy “dos and don'ts.”

Documents to keep.

• Vendor inventory (data flows, BAA status, last security review).

• Risk-analysis addendum specific to telehealth.

• Incident log and tabletop drill summaries.

• Annual privacy/security training logs.

Low-budget implementation tip.
 Create a one-page vendor scorecard for each telehealth tool: BAA date, MFA enabled (Y/N), who can export, who reviews logs, and incident contact info.

Policy 5, Change Management & Internal Audit (42 CFR § 410.78(f))

How to comply.

1. Monitor CMS updates to the Medicare Telehealth Services List and document effective dates. 2) Update your Crosswalk, templates, and claim edits accordingly. 3) Run a 10-chart telehealth audit monthly: verify modality documentation, code eligibility, POS/modifier accuracy, and HIPAA checkboxes. 4) Log defects and complete corrective actions within 10 business days.

Documents to keep.

• File of CMS fact sheets/transmittals and a short “What changed” summary.

• Monthly audit log with findings and fixes.

• Training addenda reflecting new rules.

Low-budget implementation tip.
 Rotate audit duty among staff; end each month with a 10-minute huddle to review two anonymized examples (one perfect, one improved).

Case Study

Setting. A three-provider primary care clinic scaled virtual follow-ups for diabetes and depression. Claims denials crept up, and a payer requested 30 telehealth charts for review.

Issues discovered.

• Six encounters used codes not on the CMS telehealth list for that quarter.

• Eight notes lacked patient location or modality; three were audio-only for codes requiring video.

• Q3014 was billed twice for patients at home when the clinic’s site did not meet originating-site eligibility that day.

• The video platform vendor had no executed BAA.

Actions taken.

• The clinic issued a Telehealth Code Crosswalk and turned on claim edits to block unlisted codes or missing modifiers/POS.

• A mandatory note header went live, with a two-line script for audio-only rationale.

• Staff retrained on Q3014 eligibility and location capture.

• A vendor BAA was executed, MFA enabled, and an incident playbook introduced.

• A 10-chart monthly audit started immediately with defect tracking.

Outcome.
Within two months, denials fell below 3%. The payer accepted corrected claims for allowable services and reduced the recoupment significantly. When a patient later complained about a misdirected invite, the clinic followed its playbook, documented mitigation, and closed the issue without further enforcement. Staff reported higher confidence because expectations were written, simple, and consistent.

Common Pitfalls to Avoid Under 42 CFR § 410.78

Before you scale telehealth, avoid these recurrent errors tied directly to the regulation:

• Billing non-listed services as telehealth. If a code is not on the CMS telehealth list for that date, it is not payable as telehealth; expect denials and recoupments. A current Crosswalk and claim edits prevent this.

• Missing modality and patient location in notes. Surveyors test whether the encounter met the “interactive telecommunications system” requirement and where the patient was located. Incomplete headers undermine claims.

• Audio-only for codes that require video. Unless CMS allows audio-only for that service/date, payment risk is high. Provide a one-sentence rationale when audio-only is allowed and used.

• Improper Q3014 billing. Not every patient location qualifies as an originating site; billing Q3014 incorrectly is a common overpayment.

• No BAAs with telehealth vendors. A vendor touching PHI without a BAA is a HIPAA violation and an OCR red flag.

• Weak change management for § 410.78(f) updates. When CMS changes the list, failing to update templates and edits creates systemic error rates.

A 60-second pre-submission check, on-list code, correct modality, complete header, POS/modifier accuracy, and Q3014 eligibility, eliminates the vast majority of issues.

• One-page rules, not binders. Publish a “Top 12 telehealth codes” sheet with modality notes and any audio-only allowances. Staff will actually use it.

• Template gating. If your EHR supports it, block note sign-off until required header fields are complete. If not, use a scanned pre-visit checklist.

• Micro-scripts. Provide two-line scripts for identity verification and audio-only rationale; standard language improves chart quality.

• Claims safety nets. Add payer-specific edits that halt non-listed codes or missing modifiers; reconcile denials monthly, and close the loop with quick training.

• Vendor scorecards. Keep a simple scorecard for each platform: BAA date, MFA, who can export data, and last access review.

• Visible metrics. Post a monthly dashboard with telehealth denial rates, top denial reasons, and audit pass rate, visibility changes behavior quickly.

Embedding these policies requires routine, not heroics:

• Name owners. Assign a Telehealth Clinical Lead (templates and modality), a Revenue Cycle Lead (codes/POS/modifiers, Q3014), and a Privacy/Security Lead (BAAs, risk analysis, incidents).

• Onboard with purpose. Require a 45-minute telehealth module for any staff who schedule, document, or bill telehealth. Keep logs and a short quiz.

• Normalize self-correction. Encourage staff to flag defects; fix and rebill promptly. Self-identified corrections signal a healthy control environment to reviewers.

• Recognize zero-defect months. Small rewards (shout-outs, coffee cards) reinforce habits at minimal cost.

• Keep a portable “Telehealth Binder.” Digitally store your Crosswalk, templates, BAAs, risk addendum, audit logs, incident playbook, and “What changed” memos so you can respond to record requests within hours.

Recommendations. Anchor your telehealth program to 42 CFR § 410.78 by adopting the five core policies: eligibility, documentation, coding/billing (including Q3014), HIPAA safeguards, and change-management/audit. Convert each policy into short SOPs, one-page guides, and simple dashboards. Reinforce them with a monthly 10-chart audit and rapid corrective actions. This structure keeps patient care smooth, billing accurate, and oversight interactions predictable.

Advisers (affordable, practical).

• EHR tools you already have. Use smart phrases for the telehealth header, create a “missing elements” report, and auto-flag notes without modality or location.

• Low-cost claim edits. Most clearinghouses let you add custom edits to stop unlisted telehealth codes or missing modifiers/POS cheap insurance against denials.

• Free federal resources. CMS telehealth lists and fact sheets clarify what’s payable; OCR guidance explains audio-only safeguards; OIG materials help you structure a small-practice compliance program without consultants.

• Simple compliance tracker. If you add software, pick a lightweight tool that stores BAAs, audit logs, and training attestations and can export your whole “Telehealth Binder” in a single click.

Next steps (30/60/90 days).

• 30 days: Publish the Telehealth Code Crosswalk; deploy the note header; run a 45-minute training.

• 60 days: Turn on claim edits; complete BAAs and MFA checks; execute your first 10-chart audit and fix defects.

• 90 days: Review denial trends; refine audio-only scripts; update the Crosswalk for new § 410.78(f) changes; expand to additional services only after two consecutive clean audit cycles.

• 42 CFR § 410.78 — Telehealth services (eCFR)
  

• Medicare Telehealth Services List — CMS
  

• HIPAA Guidance on Audio-Only Telehealth — HHS Office for Civil Rights