Telehealth Billing and HIPAA: Compliance Rules, Modifiers, and Documentation Tips

Telehealth is now a permanent part of care delivery, but accurate coding, compliant workflows, and airtight records still determine whether claims pay and whether you stay audit‑ready. This guide to Telehealth Billing and HIPAA: Compliance Rules, Modifiers, and Documentation Tips gives you a practical framework for selecting the right place of service codes, applying correct modifiers, and meeting documentation and privacy standards.

Use it to align clinical, compliance, and revenue cycle teams around one playbook, reduce denials, and standardize processes across states and plans while honoring Payer-Specific Telehealth Policies.

Telehealth Service Delivery Methods

Synchronous audio‑video (live, two‑way)

This is a real‑time visit using secure video. It most closely mirrors an in‑person encounter and typically supports standard E/M and many procedure codes. When payers require it, you append Modifier 95 to indicate synchronous telemedicine rendered via audio and video.

Audio‑only (telephone)

Audio‑only visits are valuable for patients without broadband or devices. Coverage varies by payer and code. If allowed, append Modifier 93 to identify a service delivered via audio‑only telecommunication and document why video was not feasible or clinically necessary.

Store‑and‑forward (asynchronous)

Clinicians review recorded data, images, or messages and respond later. Some plans require Modifier GQ to flag asynchronous telecommunication. Clearly note the time spent, what was reviewed, and your medical decision‑making.

Remote patient monitoring (RPM) and device‑based care

RPM uses connected devices to collect physiologic data with separate codes and coverage rules. Treat it as a distinct modality; document who set up the device, data review intervals, and actions taken in response to alerts.

State Licensing and Legal Requirements

You must hold an active license in the state where the patient is physically located at the time of service, unless an applicable compact, reciprocity pathway, or specific state exception applies. Capture the patient’s location at each encounter and store proof of licensure or authorization for that state.

Review prescribing rules for controlled and non‑controlled substances, supervision requirements for advanced practice providers, and consent mandates. Some states require explicit telehealth consent or disclosures; integrate these into intake so they are captured before the visit and refreshed at required intervals.

Maintain a state‑by‑state matrix of Payer-Specific Telehealth Policies and legal nuances (e.g., minor consent, interpreter rules, corporate practice of medicine). Train staff to check this matrix during scheduling and before claims submission.

Place of Service Codes Usage

Core definitions

• Place of Service Code 02: Telehealth Provided Other than Patient’s Home. Use when the patient is located at a site that is not their home (for example, a school, workplace, clinic, or community site).
• Place of Service Code 10: Telehealth Provided in Patient’s Home. Use when the patient receives telehealth from their home or a temporary lodging that functions as home.

Selection workflow

1. Confirm and document the patient’s physical location at the start of the encounter.
2. If the location is home, report Place of Service Code 10; if not home, report Place of Service Code 02.
3. Append the appropriate telehealth modifier if the payer requires it (see next section) and ensure the code descriptor supports the chosen modality.
4. Validate against Payer-Specific Telehealth Policies because some plans have unique instructions that supersede default rules.

Edge cases to document

• Patient moves locations during the visit: record both locations and bill based on the location at the start of the billable portion.
• Facility‑based patient using a personal device on campus: still consider it “other than home” when the facility is the originating site.

Common Telehealth Billing Modifiers

Modifier 95 — synchronous telemedicine via audio and video

Append Modifier 95 when a covered service is delivered in real time with both audio and video. Do not use it for audio‑only, messaging, or when the CPT/HCPCS code already inherently denotes telecommunication.

Modifier 93 — audio‑only telemedicine

Use Modifier 93 to indicate a service furnished via audio‑only. Ensure the payer covers audio‑only for the specific code and document clinical appropriateness and any technology limitations that prevented video.

Modifier GQ — asynchronous telecommunication

Modifier GQ identifies store‑and‑forward services when recognized by the payer. Save the artifacts reviewed (e.g., images, tracings), time spent, and clinical decisions made. Do not combine GQ with modifiers that indicate live video unless a payer explicitly instructs otherwise.

Operational guardrails

• Build EHR prompts that force a modality selection, then auto‑suggest the correct modifier and Place of Service Code 02 or Place of Service Code 10.
• Run claim edits to block incompatible combinations (e.g., Modifier 93 on codes that require video).
• Maintain a payer rules library so staff can quickly confirm whether a plan wants a modifier, a specific POS, or both.

HIPAA Compliance Safeguards

Administrative Safeguards

• Execute Business Associate Agreements for all telehealth platforms, messaging tools, and vendors.
• Conduct risk analysis for telehealth workflows; update policies for identity verification, minimum necessary use, and breach response.
• Provide role‑based training on telehealth privacy, recording prohibitions, and secure documentation.
• Establish contingency plans for outages, including documented fallback to phone and procedures for rescheduling.

Technical Safeguards

• Use encrypted platforms with unique user IDs, multifactor authentication, role‑based access, and automatic logoff.
• Enable audit logs for telehealth sessions, message threads, and record access; monitor regularly.
• Harden endpoints: full‑disk encryption, mobile device management, patching, and restricted local storage.

Physical safeguards and privacy in practice

• Conduct visits in private spaces; use headsets and screen‑privacy filters to reduce incidental disclosures.
• Control printed materials and disable local downloads when feasible; store all notes in the EHR, not on personal devices.

Documentation and Consent Requirements

Core encounter elements

• Patient and provider locations, identities, and credentials; all participants (e.g., caregiver, interpreter).
• Modality used (audio‑video, audio‑only, store‑and‑forward) and the reason if video was not possible.
• Clinical content: history, exam (as applicable), medical decision‑making, and/or total time by activity.
• Start/stop times when time‑based coding is used and any technology interruptions that affected the visit.

Patient Consent Documentation

• Telehealth consent captured before or at the encounter, including risks, benefits, privacy limits, and financial responsibility.
• State‑specific consent language when required; note method (written, electronic, or verbal) and date/time.
• For minors or dependent adults, document the consenting party’s name, relationship, and presence.

Record retention and artifacts

• Retain images, tracings, or patient‑submitted data used for clinical decisions, consistent with policy.
• Attach payer correspondence or eligibility confirmations supporting coverage for the selected modality.

Best Practices for Accurate Telehealth Billing

• Verify eligibility and Payer-Specific Telehealth Policies during scheduling; capture the patient’s location in advance.
• Use standardized telehealth note templates that force entry of location, modality, and consent status.
• Adopt a decision tree: choose modality, pick Place of Service Code 10 or Place of Service Code 02, then append Modifier 95, Modifier 93, or Modifier GQ as appropriate.
• Automate claim edits to flag missing consent, incompatible codes/modifiers, or POS/modifier mismatches.
• Audit a sample of telehealth notes monthly for HIPAA compliance, documentation sufficiency, and coding accuracy.
• Analyze denials by payer and root cause; update your rules library and staff job aids accordingly.
• Educate clinicians on when video is required versus acceptable audio‑only, and how to document limitations.

Conclusion

Accurate telehealth billing hinges on three pillars: correct POS and modifiers tied to the true care modality, rigorous Patient Consent Documentation and clinical detail, and disciplined HIPAA safeguards across people, process, and technology. Standardize these steps and align them with Payer-Specific Telehealth Policies to lower denials and stay audit‑ready.

FAQs.

What are the key HIPAA requirements for telehealth billing?

Implement Administrative Safeguards (policies, BAAs, risk analysis, training), Technical Safeguards (encryption, access controls, audit logs, MFA, auto‑logoff), and physical protections for private visits. Ensure minimum necessary use, identity verification, and secure storage of all telehealth documentation within the EHR.

How do modifiers affect telehealth claim submissions?

Modifiers signal modality and directly influence coverage and pricing. Use Modifier 95 for synchronous audio‑video, Modifier 93 for audio‑only, and Modifier GQ for asynchronous store‑and‑forward when recognized. Pair the correct modifier with the right place of service and only when the code and payer policy allow it.

What documentation is required for telehealth compliance?

Record patient and provider locations, modality, participants, clinical content, and time (if time‑based). Include explicit Patient Consent Documentation, reason for audio‑only when used, and any artifacts reviewed. Retain records per policy and align with Payer-Specific Telehealth Policies.

What are common billing errors that lead to denials in telehealth services?

Frequent issues include wrong place of service (mixing up Place of Service Code 10 and Place of Service Code 02), missing or incorrect modifiers, attempting audio‑only on codes that require video, absent or outdated consent, and insufficient clinical detail to support medical necessity. Automated edits and regular audits reduce these errors.