Earlier this year, the United States Department of Health and Human Services (HHS) issued guidance to explain how audio-only telehealth can comply with HIPAA. In the guidance HHS also emphasized that audio-only telehealth services can be beneficial to those individuals with limited internet and broadband access. Specifically, HHS notes that the purpose of the guidance is to “help ensure that individuals can continue to benefit from audio-only telehealth by clarifying how covered entities can provide telehealth services and improving public confidence that covered entities are protecting the privacy and security of their health information.”
When the COVID-19 pandemic began in early 2020, HHS published a Notification of Enforcement Discretion for Telehealth Remote Communications that allowed providers to use any available non-public facing remote technologies to provide telehealth services, even if those technologies were not fully HIPAA-compliant. However, that Notice of Enforcement Discretion expires when the public health emergency (PHE) declaration expires. At that time, HHS can resume imposing penalties for non-compliance.
Providers Can Use Remote Communication Technologies to Provide Audio-Only Telehealth Services
Under the new guidance, HHS clarifies that while HIPAA covered entities can use remote communication technologies (including audio-only services) to provide telehealth services, compliance with HIPAA requires that they apply reasonable safeguards to protect protected health information (PHI) from impermissible uses or disclosures. To that end, the HHS Office for Civil Rights (OCR) expects healthcare providers providing telehealth services to do so in a private setting. If a private setting is not feasible, such as where they share an office with a colleague or family member, providers should implement certain safeguards to limit any incidental exposure of PHI, such as using a lowered voice and not using speakerphone.
Additionally, if an individual is not known to the covered entity, the entity must verify the identity of the individually either verbally or in writing. If necessary, providers must verify the individual’s identity by using language assistance services to provide meaningful access for individuals with limited English proficiency.
Providers Need to Meet the Requirements of the HIPAA Security Rule to Use Remote Communication Technologies to Provide Audio-Only Telehealth Services
The guidance clarified that the HIPAA Security Rule does not apply to telehealth services provided via a traditional landline because that information transmitted is not electronic, irrespective of what type of phone technology used by the patient). However, entities that use a telephone system and transmit electronic PHI (such as by using a Voiceover Internet Protocol (VoIP)) must meet the requirements of the HIPAA Security Rule.
Additionally, compliance with the Security Rule is required if an entity uses any of the following types of electronic technologies: communication apps on a smartphone or other device, technologies that electronically record or transcribe a telehealth session, or messaging services that electronically store audio messages.
Business Associate Agreements Are Sometimes Required
The guidance also noted that if a telecommunications service provider is not creating, receiving, or maintaining PHI on behalf of the covered entity, but is just merely acting as a conduit, a business associate agreement is not needed. However, if the service provider is more than just a conduit for the transmission of PHI (such as a developer of a smartphone app), it would be considered a business associate and a BAA would be necessary.
HIPAA Rules Allow Providers to Provide Audio-Only Telehealth if a Patient’s Health Plan Does Not Provide Coverage or Payment for Such Services
Providers are permitted to provide audio-only health services by remote communication technologies consistent with HIPAA, irrespective of whether their health plan will cover or pay for the services. HHS notes that “health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA rules and are not addressed in this document.”