OCR Clarifies Post-PHE HIPAA Compliance for Audio-Only Telehealth
Center for Connected Health Policy
June 21, 2022image
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released guidance on the use of remote communication technologies for audio-only telehealth to assist health care providers and health plans, or covered entities, bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules). The goal of the guidance as stated by OCR is to support continued access to audio-only telehealth post-public health emergency (PHE) and make clear that audio-only telehealth is permissible under HIPAA Rules.
One of the main federal public health emergency (PHE) flexibilities instituted at the beginning of the pandemic included relaxed enforcement of certain federal privacy laws related to the use of various telehealth technologies (see OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification)). The Telehealth Notification states that OCR will not penalize providers under HIPAA related to their good faith use of audio or video remote communication technologies during the PHE. While it appears likely that the PHE will be further extended one more time until mid-October, this guidance seeks to prepare providers for a return to compliance once the PHE and enforcement relaxations are no longer in effect.
HIPAA Allows Audio-Only
OCR first and foremost confirms the ability to comply with HIPAA when using remote communications to provide audio-only telehealth services. The guidance states the expectation of privacy of protected health information (PHI) from impermissible uses or disclosures and the importance of providing telehealth services in private settings. If the setting is not fully private, however, it is stressed that other safeguards must be put in place, such as speaking in low voices and not using speakerphone functions. In addition, entities must verify the individual’s identity if they are unknown. While verification can be completed orally or in writing, the HIPAA Rules do not require any specific method of identity verification. The guidance also highlights that this requirement may entail the use of language assistance services with individuals with limited English proficiency.
HIPAA Only Applies to Electronic Information via Electronic Media
In addressing the need to meet HIPAA Security Rule requirements to use remote communication technologies, OCR clarifies that the Rule only applies to electronic PHI (ePHI) transmitted over electronic media. Therefore, the Rule does not apply to audio-only telehealth services provided over a traditional landline, however it does apply to landlines being replaced with Voice over Internet Protocol (VoIP) and other electronic technologies that involve the internet, cellular, and Wi-Fi, as well as smartphone apps and messaging services that electronically store audio messages. These requirements again only apply to covered entities, noting that patients receiving telehealth services via remote technologies are not obligated by HIPAA and therefore covered entities aren’t responsible for the privacy of information once it has been received by the patient’s device. To ensure compliance with the HIPAA Security Rule the guidance states that all potential risks should be identified and addressed as part of risk analysis and risk management processes required under HIPAA, including the risk for interception of information during transmission, the ability for devices to encrypt transmitted information, and other device security and authentication processes.
Business Associate Agreements & Payer Rules
A business associate agreement (BAA) with a telecommunication service provider (TSP) is not always necessary to utilize audio-only technologies, as long as the TSP is just a conduit for the PHI being transmitted and does not have the ability to access the information being shared. If, however, the provider wants to use an app that does store information, then a BAA is required with the app developer, including apps that may provide translation services. The guidance states that whether or not audio-only services are covered by the patient’s health insurer does not impact a provider’s ability to provide those services in compliance with HIPAA, as payer rules and requirements are separate from HIPAA Rules.
While continuation of PHE telehealth flexibilities remains a policy focus in Congress, it is likely that the flexibilities related to privacy enforcement will not be continued post-PHE making the technologies used to provide telehealth services an area of focus for providers looking to continue providing telehealth access moving forward. Continuing use of audio-only telehealth is also an area of policy focus post-PHE, therefore this guidance is very timely. While the guidance is technically specific to just one telehealth modality, it does speak to audio-only through electronic technologies, generally encapsulating other remote communications using electronic means, such as video and store-and-forward telehealth.
For more information on OCR’s guidance related to audio-only communications post-PHE, as well as general telehealth guidance, please view the OCR FAQs and other resources listed in their entirety.
For more information: https://mailchi.mp/cchpca/ocr-clarifies-post-phe-hipaa-compliance-for-audio-only-telehealth