On June 13, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on Health Insurance Portability and Accountability Act (HIPAA) requirements as they relate to audio-only telehealth. Telehealth technology is typically thought of as audio-video, and OCR pandemic telehealth guidance (from over two years ago) focused heavily on video communication. What’s new is OCR’s acknowledgment that certain populations are unable to access audio-video telehealth and must rely on audio-only telehealth. The guidance is intended to help ensure that postpandemic, those populations can benefit from audio-only telehealth with confidence that their health information is private and secure. The guidance discusses how covered entities and business associates, which may include health care providers and health plans, can use remote communication technologies for audio-only telehealth in a HIPAA-compliant manner following the end of the national COVID-19 public health emergency.
Certain groups of people may have trouble accessing or using technologies for audio-video telehealth due to their financial resources, limited English proficiency, disability, internet access, or the availability of adequate broadband and cell coverage in certain rural areas. Audio-only telehealth addresses the needs of these groups by allowing them to receive medical care over audio devices like landline and cell phones without video. While the guidance specifically addresses audio-only telehealth services, it applies to all types of telehealth communications.
In March 2020, OCR issued a Telehealth Notification informing the public that HHS would exercise discretion in how it applies the rules under HIPAA and that it would not impose penalties for noncompliance against covered health care providers in connection with providing audio or video telehealth services in good faith during the COVID-19 public health emergency. The notice doesn’t apply to health plans that provide telehealth. Because of the flexibility afforded by the Telehealth Notification, covered health care providers have been able to use any available non–public facing remote communication technologies for telehealth, even where those technologies may not fully comply with the HIPAA rules. OCR intends to keep the flexibility open while clarifying HIPAA protections.
The COVID-19 public health emergency has been extended through October 13, 2022. When it expires, HHS will no longer exercise the discretion announced in March 2020 when applying compliance rules under HIPAA for telehealth services, so health care providers need clarification to plan future services.
The recent guidance includes four frequently asked questions (FAQs) and responses from OCR:
Does the HIPAA Privacy Rule permit health care providers/health plans to use remote communication technologies to provide audio-only telehealth services?
- Yes, if they apply reasonable safeguards for protecting the privacy of protected health information (PHI) from impermissible uses or disclosures. Safeguard examples include using telehealth services in private settings, not using a speakerphone, and using lowered voices to limit incidental uses or disclosures of PHI.
- Verification of the patient’s identity is also required if the health care provider/health plan is unfamiliar with the patient. The verification may be performed either orally or in writing (including using electronic methods).
Do health care providers/health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?
- Yes, in some circumstances. The HIPAA Security Rule does not apply to audio-only telehealth services provided using a landline phone because the information transmitted is not electronic.
- The HIPAA Security Rule does apply to the use of electronic communication technologies, including communication apps on a smartphone, communications over Wi-Fi networks, Voice over Internet Protocol (VoIP) technologies, technologies that electronically record or transcribe a telehealth session, and messaging services that electronically store audio messages.
Can a health care provider/health plan conduct audio-only telehealth using remote communication technologies without a business associate agreement (BAA) in place with the vendor?
- Yes, in some circumstances. HIPAA does not require a BAA between a health care provider and vendor where the vendor only has transient access to PHI it transmits during a call because the vendor is merely acting as a conduit for the PHI and is not creating, receiving or maintaining PHI on behalf of the provider. For example, a BAA is not required where a health care provider conducts an audio-only telehealth session with a patient using a smartphone, and the vendor’s sole role is connecting the call.
- A health care provider must enter into a BAA with a vendor that is more than a mere conduit for PHI. For example, a health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate speech to another language to provide access to individuals with limited English proficiency.
Can health care providers use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage for those services?
Yes. Health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA rules, regardless of whether any health plan covers or pays for those services. The FAQs only addressed HIPAA rules, not health plan coverage issues.
Next Steps
Health care providers and health plans should prepare for the end of enforcement discretion.
Elizabeth F. Hodge and Lauren F. Gandle of Akerman suggest that providers and plans should:
- Confirm that existing telehealth services and technologies comply with the HIPAA rules
- Implement the necessary corrective actions to bring telehealth services into compliance or find new technologies to comply with HIPPA rules if current ones are noncompliant
- Address the potential security risks and vulnerabilities to electronic PHI when using these technologies as part of the risk analysis and risk management processes as required by the HIPAA Security Rule
- Ensure that all necessary BAAs with telehealth technology providers are in place
- Ensure that telehealth services allow communications to be as effective for those with limited English proficiencies or disabilities as communications for all other individuals
- Monitor HHS announcements regarding the time frame within which the Telehealth Notification will end
- Consult with legal counsel to determine whether policies and procedures are compliant.
Amanda Wilke, CEBS
Information/Research Specialist at the International Foundation
The latest from Word on Benefits: