On June 13, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), issued guidance on how covered entities and business associates can use remote communication technologies for audio-only telehealth in a HIPAA-compliant manner following the end of the national COVID-19 public health emergency (“PHE”). OCR had previously issued guidance in 2020 informing the public that it would not impose penalties against health care providers for noncompliance with the HIPAA rules in connection with the good faith provision of telehealth services during the COVID-19 PHE. The new guidance is issued to support the continuation of expanded access to care via audio-only telehealth services.
The new guidance includes responses to four frequently asked questions (“FAQs”) regarding compliance with the HIPAA privacy and security rules in connection with audio-only telehealth services. These FAQs cover the following topics:
- Whether the HIPAA Privacy Rule permits health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?
- The OCR clarified that such practice is permissible provided that reasonable safeguards for protecting the privacy of protected health information (“PHI”) from impermissible uses or disclosures are utilized when providing telehealth services. Examples of such safeguards include the provision of telehealth services in private settings, not using speakerphone and using lowered voices to limit incidental uses or disclosures of PHI. In addition, verification of the patient’s identity is required, which may be performed either orally or in writing (including using electronic methods).
- The OCR clarified that such practice is permissible provided that reasonable safeguards for protecting the privacy of protected health information (“PHI”) from impermissible uses or disclosures are utilized when providing telehealth services. Examples of such safeguards include the provision of telehealth services in private settings, not using speakerphone and using lowered voices to limit incidental uses or disclosures of PHI. In addition, verification of the patient’s identity is required, which may be performed either orally or in writing (including using electronic methods).
- Whether health care providers and health plans have to meet HIPAA Security Rule requirements to use remote communication technologies to provide audio-only telehealth services?
- The OCR clarified that the HIPAA Security Rule does not apply to audio-only telehealth services provided using a telephone landline because the information transmitted is not electronic. However, the HIPAA Security Rule does apply to the use of electronic communication technologies, such as communication apps on a smartphone or other computing device, Voice over Internet Protocol (VoIP) technologies, technologies that electronically record or transcribe a telehealth session, and messaging services that electronically store audio messages. Thus, covered entities need to address security risks and vulnerabilities to electronic PHI when using these technologies as part of the risk analysis and risk management processes.
- The OCR clarified that the HIPAA Security Rule does not apply to audio-only telehealth services provided using a telephone landline because the information transmitted is not electronic. However, the HIPAA Security Rule does apply to the use of electronic communication technologies, such as communication apps on a smartphone or other computing device, Voice over Internet Protocol (VoIP) technologies, technologies that electronically record or transcribe a telehealth session, and messaging services that electronically store audio messages. Thus, covered entities need to address security risks and vulnerabilities to electronic PHI when using these technologies as part of the risk analysis and risk management processes.
- Whether a health care provider or a health plan may conduct audio-only telehealth using remote communication technologies without a business associate agreement (“BAA”) with the vendor?
- Consistent with its prior position on the issue, the OCR stated that HIPAA does not require a BAA between a provider and vendor where the vendor only has transient access to PHI it transmits during a call because the vendor is merely acting as a conduit for the PHI and is not creating, receiving, or maintaining PHI on behalf of the provider. For instance, a BAA is not required where a provider conducts an audio-only telehealth session with a patient using a smartphone and the vendor’s sole role is connecting the call. However, a provider needs to enter into a BAA with a vendor that is more than a mere conduit for PHI. For example, a BAA is required where the vendor’s smartphone app stores PHI (e.g., recordings, transcripts) or translates oral communications to another language (and therefore creates and receives PHI) to provide meaningful access to individuals with limited English proficiency.
- Consistent with its prior position on the issue, the OCR stated that HIPAA does not require a BAA between a provider and vendor where the vendor only has transient access to PHI it transmits during a call because the vendor is merely acting as a conduit for the PHI and is not creating, receiving, or maintaining PHI on behalf of the provider. For instance, a BAA is not required where a provider conducts an audio-only telehealth session with a patient using a smartphone and the vendor’s sole role is connecting the call. However, a provider needs to enter into a BAA with a vendor that is more than a mere conduit for PHI. For example, a BAA is required where the vendor’s smartphone app stores PHI (e.g., recordings, transcripts) or translates oral communications to another language (and therefore creates and receives PHI) to provide meaningful access to individuals with limited English proficiency.
- Whether health care providers may use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage for those services?
- OCR noted that providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those service.
- OCR noted that providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those service.
OCR’s new HIPAA guidance on using remote communication technologies for audio-only telehealth can be found here.
Milada Goturi and Kevin Kifer are members of Thompson Coburn’s health care practice.