Telehealth Waivers Expire: Avoid $48k Repayments (42 CFR § 410.78(b)(4))

The regulation at 42 CFR 410.78(b)(4) outlines the conditions under which telehealth services are furnished to Medicare beneficiaries, including originating site requirements. During the COVID-19 public health emergency (PHE), many of these restrictions were waived, allowing broader access to telehealth. As waivers expire, small practices must return to compliance with the permanent requirements under 42 CFR 410.78(b)(4), which specify patient location and qualifying sites for telehealth services. Failure to adapt may result in denied claims, overpayment demands, and compliance reviews. For small practices, proactive planning ensures both reimbursement and adherence to federal law.

Telehealth waivers implemented during the PHE gave small practices the flexibility to serve patients in their homes or other nontraditional sites. These flexibilities expanded access and stabilized patient care. However, under 42 CFR 410.78(b)(4), Medicare’s permanent framework reinstates strict originating site requirements once waivers end. For small practices, the return to these rules impacts billing, scheduling, and patient communication. Understanding this regulation is critical for sustaining compliance, avoiding revenue loss, and preparing staff and patients for the new reality.

Understanding When Telehealth Waivers Expire Under 42 CFR 410.78(b)(4)

42 CFR 410.78(b)(4) establishes Medicare’s originating site requirements. The rule states that telehealth services are generally covered only when furnished at designated locations such as physician offices, hospitals, rural health clinics, or other approved sites. During the PHE, these restrictions were waived, allowing patients to receive telehealth from their homes. As waivers expire:

• Only specific originating sites will qualify for Medicare reimbursement.

• Patient homes may no longer count as eligible originating sites for certain services.

• Practices must confirm site eligibility for each patient encounter to ensure claims are valid.

For small practices, the legal framework means stricter documentation of patient location and compliance with originating site rules. Without this, practices risk repayment demands and compliance penalties.

The OCR’s Authority in When Telehealth Waivers Expire

While CMS governs payment rules under 42 CFR 410.78(b)(4), the Office for Civil Rights (OCR) enforces HIPAA privacy and security standards in telehealth delivery. During the PHE, OCR allowed certain enforcement discretion for telehealth platforms. With waiver expiration, OCR is resuming full enforcement:

• OCR may investigate if a practice continues to use noncompliant technology once enforcement discretion ends.

• Complaints from patients about privacy or unauthorized disclosures during telehealth sessions can trigger reviews.

• Self-reports of breaches or CMS audit referrals can expand into OCR investigations.

For small practices, maintaining HIPAA-compliant platforms, signed business associate agreements, and documented safeguards becomes essential as telehealth flexibilities phase out.

Small practices must take immediate action to align with 42 CFR 410.78(b)(4) after waiver expiration. The following steps provide a practical roadmap:

Step 1: Review Patient Eligibility and Site Rules

Verify whether patients’ originating sites meet the requirements under 42 CFR 410.78(b)(4). Create a checklist of approved locations and communicate this to scheduling staff.

Step 2: Update Consent and Intake Forms

Modify intake processes to include confirmation of the patient’s physical location during each telehealth visit. Ensure that patient consent acknowledges these requirements.

Step 3: Reassess Technology Vendors

Confirm that telehealth platforms meet HIPAA standards and have signed business associate agreements. Discontinue reliance on platforms used solely under enforcement discretion.

Step 4: Train Staff on Scheduling and Documentation

Educate staff on identifying eligible originating sites, documenting patient location, and applying correct billing codes.

Step 5: Perform Billing Audits

Audit recent telehealth claims to ensure they align with post-waiver requirements. Correct errors before CMS conducts reviews.

Step 6: Implement a Compliance Binder

Maintain a binder with copies of policies, checklists, BAAs, and audit logs to demonstrate proactive compliance during inspections.

A rural internal medicine clinic relied heavily on telehealth waivers during the PHE, offering services to patients at home. After waivers expired, the clinic failed to adjust its billing procedures. CMS auditors found that the clinic continued billing for patient home visits not covered under 42 CFR 410.78(b)(4). As a result, the clinic was required to repay $48,000 in Medicare funds and implement a corrective action plan.

In contrast, a small pediatrics practice prepared by educating staff, updating consent forms, and auditing telehealth encounters. When CMS reviewed its records, the practice demonstrated clear documentation of patient locations, consistent compliance with originating site rules, and updated vendor agreements. The review concluded without findings, reinforcing both compliance and patient trust.

• Continuing to bill for patient home visits without waiver authority: Results in claim denials and repayment demands.

• Failing to document patient location: Creates gaps in audit trails and risks compliance penalties.

• Relying on non-HIPAA-compliant platforms: Invites OCR investigations and corrective action plans.

• Not training staff on new requirements: Leads to inconsistent processes and higher error rates.

Avoiding these errors ensures financial stability and regulatory compliance for small practices.

• Embed patient location verification into EHR templates to standardize documentation.

• Develop a simple staff script to confirm originating sites during patient intake.

• Use low-cost, HIPAA-compliant telehealth platforms that provide BAAs at no additional cost.

• Conduct short monthly staff trainings to reinforce compliance requirements.

• Maintain a compliance binder to demonstrate proactive efforts during audits.

These best practices help small practices implement safeguards without adding significant financial burden.

Building a Culture of Compliance Around When Telehealth Waivers Expire

Creating a compliance culture requires leadership commitment and staff engagement. Designate a Telehealth Compliance Lead responsible for monitoring originating site documentation and vendor agreements. Train all staff on the importance of verifying patient location and respecting CMS rules. Keep policies concise and easy to access, ensuring they are used daily. Regular audits and feedback loops reinforce accountability, while staff recognition programs encourage ongoing compliance.

Final Summary

As telehealth waivers expire, small practices must transition back to the permanent framework under 42 CFR 410.78(b)(4). This includes verifying originating sites, documenting patient location, updating consent forms, reassessing vendors, and conducting regular audits. Practices that take proactive steps will preserve reimbursement, avoid penalties, and maintain patient trust.

Advisers

Affordable solutions are available to help small practices manage compliance:

• CMS Telehealth Services List provides authoritative guidance on covered services and site rules.

• HHS Telehealth Resources offer free patient communication templates and consent tools.

• OCR HIPAA Guidance explains safeguards and vendor requirements.

• Low-cost compliance tools such as EHR smart phrases, shared spreadsheets, and compliance binders reduce overhead while improving audit readiness.

Next Steps

• Within 30 days: Update intake and consent forms to confirm patient location.

• Within 60 days: Reassess telehealth vendors and confirm BAAs.

• Within 90 days: Conduct a self-audit of telehealth encounters and adjust processes as needed.

• 42 CFR 410.78 — Medicare telehealth services
  

• CMS Telehealth Services List and guidance
  

• HHS Telehealth consent and resources
  

• OCR HIPAA telehealth guidance
  

• Federal Register — CMS Telehealth Rule updates