On June 13, 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on the use of remote communication technologies for audio-only telehealth services by covered health care providers. The guidance clarifies how covered entities can provide audio-only telehealth in compliance with the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Privacy, Security, and Breach Notification Rules. Covered health care providers should take note of this guidance from OCR, as it will continue to apply even after OCR’s Notice of Enforcement Discretion for Telehealth is no longer in effect. The following is a summary of the guidance’s key takeaways.
HIPAA Privacy Rule Compliance
OCR’s guidance clarifies that the HIPAA Privacy Rule permits covered health care providers to use remote communication technologies to provide audio-only telehealth services (not video) so long as the technology’s use complies with the Rule’s requirements. In order to use remote communication technologies, the covered health care provider must ensure that applicable requirements, including the use of reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible use or disclosure, are met. For example, covered health care providers are expected to provide telehealth services in private settings to the extent feasible and are required to verify the patient’s identity either orally or in writing (including by electronic methods) in instances where the patient is not known to the covered entity. The covered entity should document the verification in the patient record.
HIPAA Security Rule Compliance
According to the guidance from OCR, covered health care providers must meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services. Importantly, the HIPAA Security Rule’s requirements do not apply to audio-only telehealth services that are provided using a standard telephone line (i.e., a traditional landline). Instead, the Rule only applies to electronic protected health information (ePHI) that is transmitted by, or maintained in, electronic media. The key to determining whether the HIPAA Security Rule requirements apply is the type of remote communication technology used by the covered health care provider. For example, the Security Rule requirements would not apply in instances where the covered health care provider is providing services using a traditional landline, regardless of whether the patient is utilizing another type of remote communication technology. Importantly, covered health care providers are not responsible for the privacy and security of a patient’s health information once the information has been received by the patient’s phone or device.
The HIPAA Security Rule does apply, however, in instances where electronic communication technologies are used. Electronic communication technologies include Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media like the internet, intra- and extranets, cellular, and Wi-Fi as well as communication applications (apps) on smartphones or other computing devices, technologies that electronically record or transcribe the telehealth sessions, and messaging services that store audio messages electronically. If a covered health care provider uses one of these types of electronic communication technologies, the HIPAA Security Rule safeguards must be applied. Specifically, the covered health care provider must identify, assess, and address any potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI through its risk analysis and risk management processes. According to the guidance, this risk analysis and risk management should consider whether there is a risk that the transmission could be intercepted by an unauthorized third party, whether the remote communication technology supports encrypted transmissions, and whether authentication is required to access the device or app where ePHI for the telehealth session may be stored, among others.
Business Associate Agreements
OCR’s guidance also clarifies that covered health care providers may conduct audio-only telehealth using remote communication technologies without having a business associate agreement (BAA) in place with the vendor. However, if the vendor is acting as a business associate, a BAA is required. For example, if the vendor does not create, receive, or maintain any PHI from a telehealth session and is only connecting the call, a BAA is not required. In contrast, if the vendor is more than a conduit for the PHI (i.e., has more than transient access to the PHI it transmits), a BAA is required. Another example of an instance where a BAA would be required is when a covered health care provider uses a smartphone app to translate oral communications to another language.
Covered health care providers that wish to offer audio-only telehealth services using remote communication technologies should review the guidance from OCR and update their policies and procedures as necessary. Additionally, providers should ensure that appropriate BAAs are in place where necessary. Robust inventory and asset management processes to ensure that accurate and thorough risk analyses occur are also critical for covered health care providers that use electronic communication technologies. Attorneys on Barclay Damon’s Health & Human Services Providers Team are available to assist health care providers with compliance efforts under the HIPAA Rules and will continue to monitor any developments and best practices.
If you have any questions about the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com, or another member of the firm’s Health & Human Services Providers Team.