Maintaining your organizational wellbeing during the unprecedented COVID-19 pandemic requires a broad view of the factors that impact your ability to achieve your business objectives while supporting personal employee wellbeing. Many employers have turned to telehealth as a means to better support their employees in the wake of COVID-19 and the need for social distancing. In fact, 25% of the employers responding to Gallagher's COVID-19 Pulse Survey: Sustaining Organizational Wellbeing & Resiliency through a Crisis indicated that they added or expanded coverage for telehealth services in response to the pandemic. However, 61% of responding employers already offered telehealth services prior to the beginning of COVID-19. Regardless of whether telehealth is a new part of your benefits offering, compliance with various laws and regulations is critical to support that offering. Check out the action steps below to help you keep your telehealth services compliant even after the pandemic ends.

Identify. Apply. Offer.

Telehealth, as defined by, is "the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration." Technologies may include videoconferencing, use of the internet, store-and-forward imaging, streaming media, and land-based and wireless communications. Fundamentally, telehealth from an employer's perspective involves access to care by employees and their families from remote locations using some form of advanced communication technology. While increased access to care and potential cost savings are important, employers must also recognize that a myriad of laws, both state and federal, may apply to their telehealth benefits. For example, many states, such as Oklahoma, require providers to be licensed in the states where their patients are located. (Note that many states have eased licensing requirements in the wake of the COVID-19 pandemic, but that easement should not be anticipated to extend indefinitely.) States may also limit the types of services that may be provided through telehealth services, and require patients to provide informed consent prior to receiving telehealth services. Healthcare providers may also be limited in their ability to prescribe medications in connection with telehealth encounters. In addition, because telehealth services involve the provision of medical care, they will fall under ERISA, COBRA, and other federal law as "health benefits" and must be addressed accordingly. What state and federal laws apply to your telehealth services?

Adopt. Disclose. Report.

Generally speaking, employer-sponsored telehealth benefits are considered group health plans and are subject to ERISA's requirements. Thus, if an employer is subject to ERISA, it must: (1) adopt a plan document describing the plan’s terms and operations; (2) distribute a summary plan description (SPD) explaining plan terms to participants; (3) file an annual Form 5500, unless an exemption applies; (4) comply with fiduciary standards; and (5) maintain a claims and appeals process related to benefits offered on a telehealth basis. Typically, employers will incorporate their telehealth benefits into their major medical plans and fold those benefits into ERISA compliance for their major medical plans. However, some employers may make their telehealth benefits available to all employees, not solely those enrolled in their major medical benefits. In such a case, the telehealth benefits may constitute their own plan and thus be required to meet ERISA reporting and disclosure requirements separately. Offering telehealth benefits on a stand-alone basis may, however, create issues under other laws, such as the Patient Protection and Affordable Care Act (ACA), as noted below. What does your organization need to do to ensure that your telehealth benefits are compliant with any applicable ERISA disclosure and reporting requirements?

Administer. Incorporate. Continue.

Telehealth benefits are subject to COBRA continuation requirements because they provide medical care and are considered to be group health benefits. Because many employers include their telehealth benefits as part of their major medical benefits, only employees who participate in their major medical plans are eligible for telehealth benefits. This type of incorporation will ease the administrative burden associated with providing telehealth services on a continuation basis because those benefits will be part of major medical coverage continuation. However, because telehealth services are often administered by specialty third-party vendors, coordination of the administration of continuation coverage may be needed between an employer's COBRA administrator and telehealth administrator. Because of requirements under the ACA, telehealth services are unlikely to be offered as stand-alone benefits, but if they are, they should be administered with a separate election for COBRA continuation. What changes, if any, does your organization need to make to ensure that telehealth services are properly included as part of your COBRA continuation efforts?

Qualify. Integrate. Meet.

If telehealth benefits are offered outside of your group medical plan, they will generally constitute a separate group health plan subject to ACA mandates — unless they qualify as an excepted benefit. More specifically, ACA group health plan mandates require insurance coverage of dependent children up to age 26, prohibit lifetime and annual dollar limits for essential health benefits, require provision of a summary of benefits and coverage (SBC), and require coverage of specified preventative health services without cost sharing. An employer who fails to comply with these requirements may be penalized $100 per day per person. However, in response to the COVID-19 emergency, the Internal Revenue Service (IRS), Department of Labor (DOL), and the Department of Health and Human Services (HHS) jointly issued relief for group health plans (and health insurance coverage offered in connection with a group health plan) that provides benefits solely for telehealth or other remote-care services. The relief is limited to telehealth and other remote-care service arrangements sponsored by a large employer and offered only to employees or dependents who are not eligible for coverage under any other group health plan offered by that employer and is only available during the public health emergency related to COVID-19. According to the relief, qualifying plans and insurers are exempt from the group market reforms but must comply with nondiscrimination requirements. Thus, telehealth-only plans must comply with: (1) the prohibition against pre-existing condition exclusions and special enrollment requirements; (2) the prohibition against discrimination in eligibility or coverage based on an individual's health status; (3) the prohibition against rescission of coverage except when fraud or intentional misrepresentation of material fact has occurred: and (4) the parity requirements between medical/surgical benefits and mental health/substance use disorder benefits. However, telehealth-only plans are not exempt under the relief from COBRA, ERISA, or other federal requirements. What ACA group health plan mandates are your telehealth benefits required to meet?

Secure. Protect. Include.

As group health plans or part of group health plans, telehealth services are also subject to the Privacy and Security requirements under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule addresses the permissible use and disclosure of protected health information (PHI), and the Security Rule governs safeguards for the protection of the confidentiality, integrity, and availability of electronic PHI. Due to the nature of the services offered, telehealth services necessarily involve the use and potential disclosure of PHI. Thus, sponsoring employers should integrate telehealth services into their HIPAA Privacy and Security compliance and must determine whether their third-party vendors assisting with telehealth services are also covered entities or operate as Business Associates. If a third-party vendor is a Business Associate, the employer-sponsored health plan must have a Business Associate Agreement in place with that vendor. In addition, the health plan must ensure that it has policies and procedures in place to protect any applicable PHI associated with the telehealth services that it creates, maintains, or receives. What additional steps must your organization take to include employer-sponsored telehealth services in your HIPAA Privacy and Security efforts?

This is a preview of Priorities and Perspectives, a monthly publication produced by Gallagher's Compliance Consulting Practice. For five more action steps to help you focus your compliance efforts in 2020, contact your Gallagher representative or visit our Compliance Resources page for the full version of this month's edition.


Compliance is a series of actions, not a final destination. As a trusted advisor, Gallagher has developed this Priorities and Perspectives series to help you pursue a path through employee benefits compliance issues as part of an overall continuing compliance plan. Employers should carefully evaluate their health and welfare plans to determine if they are in compliance with both federal and state law. If you have any questions about one or more of the compliance requirements listed above, or would like additional information on how Gallagher constantly monitors laws and regulations impacting employee benefits in order to support employers in their compliance efforts, please contact your Gallagher representative.


The intent of this analysis is to provide you with general information. It does not necessarily fully address all your organization's specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues should be addressed by your organization's general counsel or an attorney who specializes in this practice area.