On June 13, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights ("OCR"), issued guidance on how covered entities and business associates can use remote communication technologies for audio-only telehealth in a HIPAA-compliant manner following the end of the national COVID-19 public health emergency ("PHE"). OCR had previously issued guidance in 2020 informing the public that it would not impose penalties against health care providers for noncompliance with the HIPAA rules in connection with the good faith provision of telehealth services during the COVID-19 PHE. The new guidance is issued to support the continuation of expanded access to care via audio-only telehealth services.
The new guidance includes responses to four frequently asked questions ("FAQs") regarding compliance with the HIPAA privacy and security rules in connection with audio-only telehealth services. These FAQs cover the following topics:
- Whether the HIPAA Privacy Rule permits health care
providers and health plans to use remote communication technologies
to provide audio-only telehealth services?
- The OCR clarified that such practice is permissible provided
that reasonable safeguards for protecting the privacy of protected
health information ("PHI") from impermissible uses or
disclosures are utilized when providing telehealth services.
Examples of such safeguards include the provision of telehealth
services in private settings, not using speakerphone and using
lowered voices to limit incidental uses or disclosures of PHI. In
addition, verification of the patient's identity is required,
which may be performed either orally or in writing (including using
electronic methods).
- The OCR clarified that such practice is permissible provided
that reasonable safeguards for protecting the privacy of protected
health information ("PHI") from impermissible uses or
disclosures are utilized when providing telehealth services.
Examples of such safeguards include the provision of telehealth
services in private settings, not using speakerphone and using
lowered voices to limit incidental uses or disclosures of PHI. In
addition, verification of the patient's identity is required,
which may be performed either orally or in writing (including using
electronic methods).
- Whether health care providers and health plans have to
meet HIPAA Security Rule requirements to use remote communication
technologies to provide audio-only telehealth services?
- The OCR clarified that the HIPAA Security Rule does not apply
to audio-only telehealth services provided using a telephone
landline because the information transmitted is not electronic.
However, the HIPAA Security Rule does apply to the use of
electronic communication technologies, such as communication apps
on a smartphone or other computing device, Voice over Internet
Protocol (VoIP) technologies, technologies that electronically
record or transcribe a telehealth session, and messaging services
that electronically store audio messages. Thus, covered entities
need to address security risks and vulnerabilities to electronic
PHI when using these technologies as part of the risk analysis and
risk management processes.
- The OCR clarified that the HIPAA Security Rule does not apply
to audio-only telehealth services provided using a telephone
landline because the information transmitted is not electronic.
However, the HIPAA Security Rule does apply to the use of
electronic communication technologies, such as communication apps
on a smartphone or other computing device, Voice over Internet
Protocol (VoIP) technologies, technologies that electronically
record or transcribe a telehealth session, and messaging services
that electronically store audio messages. Thus, covered entities
need to address security risks and vulnerabilities to electronic
PHI when using these technologies as part of the risk analysis and
risk management processes.
- Whether a health care provider or a health plan may
conduct audio-only telehealth using remote communication
technologies without a business associate agreement
("BAA") with the vendor?
- Consistent with its prior position on the issue, the OCR stated that HIPAA does not require a BAA between a provider and vendor where the vendor only has transient access to PHI it transmits during a call because the vendor is merely acting as a conduit for the PHI and is not creating, receiving, or maintaining PHI on behalf of the provider. For instance, a BAA is not required where a provider conducts an audio-only telehealth session with a patient using a smartphone and the vendor's sole role is connecting the call. However, a provider needs to enter into a BAA with a vendor that is more than a mere conduit for PHI. For example, a BAA is required where the vendor's smartphone app stores PHI (e.g., recordings, transcripts) or translates oral communications to another language (and therefore creates and receives PHI) to provide meaningful access to individuals with limited English proficiency.
- Whether health care providers may use remote
communication technologies to provide audio-only telehealth if an
individual's health plan does not provide coverage for those
services?
- OCR noted that providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those service.
OCR's new HIPAA guidance on using remote communication technologies for audio-only telehealth can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.