HIPAA Guidelines for Telehealth

On June 13, 2022, the Department of Health and Human Services issued guidance on HIPAA telehealth requirements, as these requirements pertain to audio-only telehealth services. The HIPAA guidance issued by HHS covers how and when covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect.

That Enforcement Discretion for Telehealth remains in effect until OCR either declares the COVID-19 public health emergency (PHE) to be over or lets the PHE expire (the PHE is currently set to expire on July 15, 2022). If OCR does not extend the PHE or declare it over, the Notification of Enforcement Discretion for Telehealth will automatically be rescinded. Details of HIPAA guidelines for telehealth in a post-PHE world are provided below.

HHS Issues HIPAA Audio-Only Telehealth Guidance, But Why Now?

In December of 2021, President Biden issued Executive Order (EO)14058, with the hopeful title of “Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” The EO aimed to improve public confidence that HIPAA covered entities are protecting the privacy and security of PHI. 

Specifically, the EO directed the HHS Secretary to develop guidance for HIPAA-beholden entities on providing telehealth in compliance with HIPAA rules, following the end of the PHE, to improve patient experience and convenience. On June 13, HHS published the long-awaited guidance. *The HIPAA guidelines for telehealth addressed in the guidance should be reviewed by providers.

HIPAA Guidelines for Telehealth: What’s In The Guidance?

The HIPAA audio-only telehealth guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules post-PHE.

In March 2020, when the COVID-19 pandemic began, HHS issued the above-mentioned Notification of Enforcement Discretion for Telehealth. This notification, designed to enable remote care during the pandemic, stated that OCR would exercise its enforcement discretion and not impose penalties on covered health care providers for noncompliance with specific rules. 

What are those rules? The rules regarding non-public facing audio or video remote communication technologies. 

The notification relaxed those rules to permit providers to use any available “non-public” facing remote communication technologies for telehealth, even where those technologies and how they were used, might not fully comply with the HIPAA Rules. However, once the PHE is over, the enforcement discretion is over. Meaning  – providers will have to comply with HIPAA telehealth requirements as they did before the PHE.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Guidelines for Telehealth: What Will the Privacy Rule Permit?

HHS has been asked to provide guidance as to whether the Privacy Rule, post-PHE, will permit the use of remote communication technology (RCT) to provide audio-only telehealth. Per the guidance, the answer to the question is “yes” – HIPAA covered entities may use RCTs to provide telehealth, including audio-only services, in compliance with the Privacy Rule.

HIPAA telehealth requirements obligate providers to apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services. For example, OCR expects (as in, if a provider defies this expectation, it might become the target of an investigation) covered health care providers to provide telehealth services in private settings to the extent feasible.