The Patient’s Right to Choose Telehealth Under CMS Rules (42 CFR § 410.78(f)(3))

The regulation at 42 CFR 410.78(b)(3)(xiv)–(b)(4). defines conditions under which Medicare beneficiaries may receive telehealth services in their homes. This provision safeguards patient autonomy by ensuring that individuals have the right to choose telehealth when clinically appropriate and when technology allows. For small practices, it underscores the importance of documenting patient choice, clinical justification, and modality of care to maintain compliance. Failure to follow this rule can result in denied claims, financial recoupments, and potential regulatory scrutiny. By aligning their workflows with this regulation, small practices can both protect revenue and enhance patient satisfaction.

Telehealth has become an essential tool for extending healthcare services beyond traditional office settings, particularly for small practices with limited resources. The rule codified in 42 CFR 410.78(b)(3)(xiv)–(b)(4). grants patients the right to receive telehealth services in their home under specific conditions. For small healthcare providers, this means adjusting clinical and administrative processes to respect patient choice while meeting Medicare requirements. Ignoring these obligations can expose a practice to CMS audits, payment denials, or corrective action plans. This article provides a structured guide for understanding, implementing, and sustaining compliance with this regulation.

Understanding The Patient’s Right to Choose Telehealth Under 42 CFR 410.78(b)(3)(xiv)–(b)(4)

(42 CFR § 410.78(b)(3)(xiv)) establishes that Medicare will cover certain telehealth services furnished in the beneficiary’s home, provided that clinical appropriateness and documentation requirements are met. The rule requires that:

• Telehealth may substitute for in-person services only if it is clinically appropriate (42 CFR § 410.78(a)(3)).

• If a patient cannot or does not wish to use video technology, audio-only services may be permitted for specified codes, provided the encounter is documented (42 CFR § 410.78(a)(3)(ii)).

• Providers must record the patient’s choice and the circumstances surrounding the use of telehealth, including the modality used (42 CFR § 410.78(b)(4)).

For small practices, understanding this framework ensures compliance with Medicare billing rules, reduces risks of overpayment recovery, and supports defensible patient care practices. Without such compliance, providers face penalties and operational disruptions.

The Office for Civil Rights (OCR) enforces HIPAA rules that directly affect how telehealth is delivered. While CMS governs payment, OCR ensures that patient privacy and data security are preserved during telehealth encounters. OCR has authority to investigate practices that fail to implement reasonable safeguards, fail to secure business associate agreements with vendors, or improperly disclose patient health information. Investigations may be triggered by:

• Patient complaints about lack of privacy during telehealth visits.

• Self-reports by clinics after breaches involving telehealth platforms.

• Random reviews or referrals during CMS audits where HIPAA deficiencies surface.

For small practices, integrating OCR’s HIPAA requirements into telehealth compliance ensures that patient choice is respected while privacy obligations are maintained.

Small practices can align with 42 CFR 410.78(b)(3)(xiv)–(b)(4). through a structured process. Each step connects directly to compliance with patient telehealth rights:

Step 1: Create a Telehealth Consent Form

Develop a standardized one-page form that documents patient choice to receive telehealth, including whether they prefer video or audio-only. Store the form in the electronic health record (EHR).

Step 2: Record Modality and Clinical Justification

Document the chosen modality (video or audio-only) and explain why telehealth is clinically appropriate for the encounter. If audio-only is used, record the patient’s inability or refusal to use video.

Step 3: Verify Identity and Location

At the start of each telehealth visit, verify the patient’s identity and location to meet compliance, license, and emergency preparedness requirements.

Step 4: Secure Vendor Agreements

Ensure that telehealth technology providers sign Business Associate Agreements (BAAs) and provide security assurances. Keep copies readily available.

Step 5: Train Staff

Conduct staff training on patient rights, consent documentation, and technology safeguards. Provide scripts for consistent communication during visits.

Step 6: Conduct Monthly Self-Audits

Audit a sample of telehealth encounters monthly to verify consent, modality, identity verification, and billing accuracy. Address gaps promptly with corrective action.

A small family practice adopted telehealth during a public health emergency. Patients often used audio-only calls, but clinicians failed to document why video was not used. During a CMS post-payment review, auditors found that multiple claims lacked required documentation of patient choice and clinical justification. The practice was ordered to repay $35,000 in Medicare funds and implement a corrective action plan.

In contrast, another small clinic adopted a telehealth workflow that included a consent form, a smart phrase in the EHR for documenting modality, and monthly spot audits. When CMS audited this practice, the clinic produced complete records demonstrating patient choice and clinical justification. The audit closed with no findings, strengthening patient trust and confirming compliance.

Common Pitfalls to Avoid Under 42 CFR 410.78(b)(3)(xiv)–(b)(4)

Common mistakes among small practices include:

• Failure to document patient choice: Without written or verbal documentation, CMS may deny claims.

• Omitting modality justification: When audio-only is used without explanation, claims are vulnerable to recoupment.

• Not securing vendor BAAs: Use of unverified platforms may lead to OCR investigations.

• Skipping identity verification: Failure to confirm identity and location creates compliance and license risks.

Avoiding these pitfalls reduces the risk of penalties and preserves reimbursement integrity.

Practical best practices include:

• Embed a telehealth consent template into the EHR for easy use.

• Use staff scripts for consistent patient communication about modality options.

• Select vendors that provide BAAs at no extra cost.

• Maintain a telehealth compliance binder with policies, BAAs, and training logs.

• Implement short monthly micro-trainings to reinforce compliance steps.

These practices are affordable, sustainable, and improve audit readiness for small clinics.

Compliance must be embedded in daily operations:

• Leadership: Assign a Telehealth Compliance Lead to oversee consent documentation, vendor agreements, and audits.

• Training: Provide quarterly refresher training to all staff, including clinicians, front desk, and billing personnel.

• Policies: Keep telehealth policies concise and accessible, outlining consent, modality, and incident response.

• Continuous Monitoring: Run regular audits and adjust policies based on findings to sustain compliance.

This culture not only ensures regulatory compliance but also builds patient trust.

Final Summary

The patient’s right to choose telehealth, codified at 42 CFR 410.78(b)(3)(xiv)–(b)(4)., requires small practices to document patient choice, modality, and clinical justification for every telehealth encounter. Practices must also verify identity, maintain vendor BAAs, and perform audits. Following these steps protects revenue, satisfies CMS audit requirements, and upholds patient trust.

Advisers

Small practices can strengthen compliance using affordable tools and free resources:

• HHS Telehealth Resources offer consent templates and training materials.

• CMS Telehealth Services List helps confirm coverage and billing requirements.

• OCR HIPAA Guidance provides clarity on privacy safeguards and vendor BAAs.

• Low-cost compliance tools like EHR smart phrases, shared audit spreadsheets, and vendor security summaries reduce overhead while improving readiness.

Next Steps

• Within 30 days: Implement consent forms and staff scripts.

• Within 60 days: Confirm vendor BAAs and create a security summary.

• Within 90 days: Conduct a full self-audit and refine training.

To further strengthen your compliance posture, consider using a compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.

• 42 CFR 410.78 — Medicare telehealth services

• CMS Telehealth overview and services list

• HHS guidance on obtaining telehealth informed consent

• OCR HIPAA audio-only telehealth guidance

• Federal Register — CMS 2024 Final Rule updates