The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released new guidance (the “Guidance”) to help ensure that individuals may continue to benefit from audio-only telehealth services and clarify for health care providers and health plans how they can provide such services while complying with the HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”). The Guidance is the strongest signal yet from OCR that it intends to resume imposing penalties against covered entities that do not comply with the HIPAA Rules when providing telehealth. Healthcare providers and health plans should ensure that they can continue to provide telehealth while safeguarding the privacy and security of individuals’ protected health information (PHI).
OCR recognizes that, despite the explosive growth of telehealth during the COVID-19 pandemic, there are still individuals in the U.S. that, for a variety of factors such as lack of sufficient broadband or cell coverage, financial resources, internet access, disability, or limited English proficiency, have difficulty accessing audio-visual telehealth and must rely on audio-only telehealth. The Guidance is meant to assist covered entities with HIPAA compliance when the Telehealth Notification (defined below) is no longer in effect. While the Guidance specifically addresses audio-only telehealth services, it applies to all types of telehealth communications and it applies to health plans as well as health care providers.
Background on telehealth and OCR enforcement discretion
In response to the COVID-19 public health emergency (“PHE”), in March 2020 OCR issued its Notification of Enforcement Discretion for Telehealth Remote Communications (the “Telehealth Notification”). The Telehealth Notification provides that OCR will exercise its enforcement discretion and will waive potential penalties for HIPAA violations by covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 PHE. The Telehealth Notification remains in effect until the Secretary of HHS declares the PHE period has ended or in July 2022, if there is not another renewal of the PHE determination.
An overview of OCR’s responses to FAQs relating to HIPAA compliance and telehealth is outlined below:
- The HIPAA Privacy Rule permits covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services.
Under the HIPAA Privacy Rule, covered entities may provide audio-only telehealth services if they apply reasonable safeguards to protect PHI from impermissible uses or disclosures. For example, if telehealth services cannot occur in a private setting, OCR suggests using lowered voices and avoiding using the speakerphone. If the individual is not known to the covered entity, it must verify the identity of the individual orally or in writing. Further, OCR reminds covered entities that civil rights laws require communications with an individual with a disability to be equally as effective as communication with others. This may require providing the individual with auxiliary aids or additional services to assist with the communication, including those communications to verify the individual’s identity. This reminder is noteworthy because in addition to enforcing HIPAA, OCR enforces certain non-discrimination laws.
2. Covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule when they use electronic communication technologies to provide audio-only telehealth services.
OCR clarified that a covered entity does not need to apply HIPAA Security Rule safeguards to telehealth services that it provides using traditional landlines as the information transmitted is not electronic and therefore is not subject to the Security Rule.
However, the Security Rule does apply when the covered entity provides audio-only telehealth using electronic communication technologies and mobile technologies that use electronic media. Examples of electronic technologies that require compliance with the Security Rule include:
- Communication applications (apps) on a smartphone;
- Voice over Internet Protocol technologies;
- Technologies that electronically record or transcribe a telehealth session; and
- Messaging services that electronically store messages.
- In certain circumstances the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor.
OCR clarified that where the telecommunications service provider has only transient access to the PHI it transmits, the service provider is acting as a conduit for the PHI and not a business associate, so a business associate agreement is not needed. However, if the telecommunications service provider creates, receives, or maintains PHI on behalf of the covered entity, then the parties must have a business associate agreement in place. For example, if a health care provider conducts audio-only telehealth using a smartphone app offered by the provider that stores PHI such as recordings or transcripts, then the app is providing more than mere transmission services and a business associate agreement is needed with the app developer. A covered entity needs a business associate agreement with an app developer if it uses a smartphone app to translate oral communications to another language to provide access to individuals with limited English proficiency.
- The HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth regardless of whether the patient’s health plan provides coverage or payment for those services.
OCR explained that while covered entities may provide audio-only telehealth services consistent with the HIPAA Rules, this does not mean that Medicare, Medicaid, or private payers will cover or reimburse for the services. Coverage and reimbursement questions for any type of telehealth are beyond OCR’s authority.
Healthcare providers and health plans providing telehealth, including audio-only services, should begin planning now for the end of the Telehealth Notification and for OCR to resume its enforcement activities against covered entities that do not comply with the HIPAA Rules when providing telehealth. Specifically, they should:
- Confirm whether their existing telehealth services and technologies (whether audio-visual or audio-only) comply with the HIPAA Rules;
- If the services and/or technologies do not comply with the HIPAA Rules, implement the necessary remediation to bring the telehealth services into compliance or find another technology that already complies with the HIPAA Rules;
- Update their risk analysis and risk management plan to address the potential risks and vulnerabilities to ePHI when using electronic communication technologies to provide telehealth;
- Ensure that all necessary business associate agreements with telehealth technology providers are in place;
- Ensure that telehealth services allow communications with a patient with a disability or limited English proficiency to be as effective as communications with other patients; and
- Monitor OCR announcements regarding when the Telehealth Notification will end.
If unsure, covered entities should consult health care counsel to determine whether their policies and procedures are compliant.