On June 13, 2022, the Department of Health and Human Services issued guidance on HIPAA telehealth requirements, as these requirements pertain to audio-only telehealth services. The HIPAA guidance issued by HHS covers how and when covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect.
That Enforcement Discretion for Telehealth remains in effect until OCR either declares the COVID-19 public health emergency (PHE) to be over or lets the PHE expire (the PHE is currently set to expire on July 15, 2022). If OCR does not extend the PHE or declare it over, the Notification of Enforcement Discretion for Telehealth will automatically be rescinded. Details of HIPAA guidelines for telehealth in a post-PHE world are provided below.
HHS Issues HIPAA Audio-Only Telehealth Guidance, But Why Now?
In December of 2021, President Biden issued Executive Order (EO)14058, with the hopeful title of “Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” The EO aimed to improve public confidence that HIPAA covered entities are protecting the privacy and security of PHI.
Specifically, the EO directed the HHS Secretary to develop guidance for HIPAA-beholden entities on providing telehealth in compliance with HIPAA rules, following the end of the PHE, to improve patient experience and convenience. On June 13, HHS published the long-awaited guidance. *The HIPAA guidelines for telehealth addressed in the guidance should be reviewed by providers.
HIPAA Guidelines for Telehealth: What’s In The Guidance?
The HIPAA audio-only telehealth guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules post-PHE.
In March 2020, when the COVID-19 pandemic began, HHS issued the above-mentioned Notification of Enforcement Discretion for Telehealth. This notification, designed to enable remote care during the pandemic, stated that OCR would exercise its enforcement discretion and not impose penalties on covered health care providers for noncompliance with specific rules.
What are those rules? The rules regarding non-public facing audio or video remote communication technologies.
The notification relaxed those rules to permit providers to use any available “non-public” facing remote communication technologies for telehealth, even where those technologies and how they were used, might not fully comply with the HIPAA Rules. However, once the PHE is over, the enforcement discretion is over. Meaning – providers will have to comply with HIPAA telehealth requirements as they did before the PHE.
HIPAA Guidelines for Telehealth: What Will the Privacy Rule Permit?
HHS has been asked to provide guidance as to whether the Privacy Rule, post-PHE, will permit the use of remote communication technology (RCT) to provide audio-only telehealth. Per the guidance, the answer to the question is “yes” – HIPAA covered entities may use RCTs to provide telehealth, including audio-only services, in compliance with the Privacy Rule.
HIPAA telehealth requirements obligate providers to apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services. For example, OCR expects (as in, if a provider defies this expectation, it might become the target of an investigation) covered health care providers to provide telehealth services in private settings to the extent feasible.
Suppose telehealth services cannot be provided in a private setting (i.e., where a provider shares an office with a colleague or a family member). In that case, providers must still implement reasonable safeguards to limit incidental uses or disclosures of PHI.
Another HIPAA telehealth requirement that will continue to apply after the PHE is over is the requirement that a provider verifies the identity of a would-be patient, either verbally or in writing. While HIPAA telehealth requirements do not dictate one specific way of verification, federal and state civil rights laws require certain procedures to be followed. Such laws, for example, mandate that communication with an individual with a disability must be as effective as communication with others. This means that, if necessary, providers must offer auxiliary aid and services during communication. These same laws also require providers to provide meaningful access for individuals with limited English proficiency through the use of appropriate language assistance services.
HIPAA Guidelines for Telehealth: Hailing Frequencies Open
The HIPAA audio-only telehealth guidance next addresses whether providers, post-PHE, must meet the HIPAA Security Rule requirements to use remote communication technologies for audio-only telehealth services. OCR’s guidance: “Yes, in certain circumstances.”
The Security Rule applies to ePHI. Therefore, the rule does not apply to audio-only telehealth services provided using a traditional landline, because the information transmitted is not electronic. If the services are provided using traditional landlines, the Security Rule safeguards do not apply, regardless of what type of telephony the patient uses.
If, however, the provider uses telehealth services through electronic communication technologies, the Security Rule kicks in.
HHS provides several examples of technologies, the use of which requires Security Rule compliance:
- Communication applications (apps) on a smartphone or another computing device
- VoIP technologies
- Technologies that electronically record or transcribe a telehealth session
- Messaging services that electronically store audio messages
Providers using such technology must observe the administrative, physical, and technical safeguards of the Security Rule. Again, while the provider is bound by HIPAA, the patient is not: the patient may use any telephone system they choose for the session. The “catch” for the patient is that a provider is not responsible for the privacy or security of individuals’ health information once that information has been received by the individual’s phone or another device.
HIPAA telehealth requirements and the Security Rule obligate providers using electronic communications technologies to conduct risk analysis and management.
Risk analysis and risk management should include considerations of:
- Whether there is a risk the transmission could be intercepted by an unauthorized third party
- Whether the remote communication technology (i.e., mobile device, app) supports encrypted transmissions
- Whether there is a risk that ePHI created or stored as a result of a telehealth session (i.e., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions
- Whether authentication is required to access the device or app where telehealth session ePHI may be stored
- Whether the device or app enables automatic logoff or locks after a period of inactivity
The guidance specifically notes that a robust inventory and asset management process can help providers identify remote communication technologies and the information systems that use them, ensuring an accurate and thorough HIPAA security risk analysis.
HIPAA Guidelines for Telehealth: We Have an Agreement
The June 2022 HHS guidance next addresses whether a provider or plan may conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor. The answer: in some circumstances.
The HIPAA Privacy Rule obligates a provider to enter into a business associate agreement with a telecommunication service provider (TSP) only when that TSP is acting as a business associate.
Here, the “HIPAA conduit rule” comes into play.
If a TSP only has transient (lasting only for a short time) access to PHI, and if the TSP’s transmission services do not involve any storage of the information (other than on a temporary basis), the TSP is considered a “HIPAA conduit.” Conduits, by definition, are not business associates, meaning providers need not enter into business associate agreements (BAAs) with conduits.
Examples of conduits include entities that merely connect calls, and do not create, receive, maintain, or transmit PHI from a session.
If, however, access to PHI is more than transient, or if the storage of PHI is more than temporary, and/or if the TSP creates, receives, or maintains PHI on behalf of the provider, the TSP is a business associate, not a conduit. Therefore, the provider must enter into a BAA with the TSP.
HIPAA Guidelines for Telehealth: What if I’m Not Covered?
Do HIPAA telehealth requirements permit providers to use remote communication technologies for audio-only telehealth even if the patient’s plan does not cover or pay for such services? The HHS guidance says “yes.”
Providers may offer audio-only telehealth services using remote communication technologies (provided they do so in a HIPAA-compliant fashion), regardless of whether a plan pays for the services. HIPAA telehealth requirements do not cover health plan coverage and payment policy issues for telehealth services.
