HHS recently issued guidance clarifying how providers may use remote communication technologies for audio-only telehealth services after the conclusion of the PHE. This article summarizes the recently released guidance.
For background, in 2020, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) responded to the COVID-19 Public Health Emergency (PHE) by announcing that, during the PHE, covered health care providers would not be subject to penalties for noncompliance with HIPAA rules during the good faith provision of telehealth via nonpublic facing audio or video remote communication technologies. OCR’s enforcement discretion remains in effect until the Secretary of HHS declares the PHE is over, or when the PHE’s expiration date occurs, whichever comes first.
QUESTION: Does the HIPAA Privacy Rule permit covered health care providers to use remote communication technologies to provide audio-only telehealth services?
ANSWER: Yes. When providing telehealth services, including audio-only telehealth services, the HIPAA Privacy Rule requires covered health care providers to use reasonable safeguards to preserve the privacy of protected health information (PHI) from impermissible uses or disclosures. For instance, to the extent feasible, covered health care providers should provide telehealth services in private settings. If that’s not feasible, covered entities must implement other reasonable safeguards such as avoiding the use of speaker phones. Additionally, if the covered health care provider does not know the patient, it must verify the identity of the individual. This can be done orally or in writing and may include electronic methods.
QUESTION: Do covered health care providers have to comply with the requirements of the HIPAA Security Rule to use remote communication technologies to provide audio-only telehealth services?
ANSWER: It depends on the circumstances. The HIPAA Security Rule does not apply to audio-only telehealth services provided using a telephone landline (regardless of the technology used by the patient).
However, the HIPAA Security Rule applies when the covered health care provider uses telephone systems that transmit electronic PHI (ePHI) (e.g., Voice over Internet Protocol, Internet, intra-and extranets, cellular data, Wi-Fi, recording or transcription services for sessions, and services that electronically store audio messages). Covered health care providers must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using these technologies. Such risk analysis and risk management efforts should include the following considerations:
- The risk of the transmission being intercepted by an unauthorized third party.
- Whether the remote communication technology encrypts the transmissions.
- Whether authentication is required to access the device/app where ePHI may be stored.
- Whether a session is automatically terminated or locked after a certain period of inactivity.
- The risk of unauthorized third-party access to any ePHI created/stored after a telehealth session.
Note that patients may use any telephone system when receiving telehealth services.
QUESTION: Do the HIPAA Rules permit a covered health care provider to conduct audio-only telehealth using remote communication technologies without a business associate agreement (BAA) in place with the vendor?
ANSWER: It depends on the circumstances. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access to PHI by the business associate. The term “business associate” also includes a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. When a telecommunication service provider acts as a business associate, the HIPAA Rules require the covered health care provider, enter into a BAA with the telecommunication service provider.
If the telecommunication service provider is acting merely as a conduit for the PHI – as is the case when a covered health care provider uses a telephone to communicate with a patient – a BAA is not required. The telecommunication service provider only has transient access to the PHI it transmits. No business associate relationship has been created if the telecommunication service provider is not creating, receiving, or maintaining PHI on behalf of the covered health care provider, and the telecommunication service provider does not require access to the PHI it transmits on a routine basis. For example, if a telecommunication service provider is only connecting a call between the covered health care provider and the patient via a smartphone and does not create, receive, or maintain any PHI from the audio-only telehealth session, a BAA is not necessary.
On the other hand, a BAA is required when the vendor is more than a mere conduit for PHI. For instance, when a smartphone app stores recordings or transcripts of phone calls in a database for a provider’s later use, the covered health care provider must enter into a BAA with the app developer because the app creates, receives, and maintains PHI. The app is not merely a conduit for the transmission of PHI.
QUESTION: Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?
ANSWER: Yes. Coverage or payment for telehealth services is separate from HIPAA requirements.
For more information about this guidance, as well as HIPAA requirements, please refer to the guidance web page.
The Advocacy Council – ADVOCATING FOR ALLERGISTS AND THEIR PATIENTS.
