As we have discussed in previous articles, telehealth is gaining in popularity and has provided numerous benefits including: easing healthcare access to patients in remote and underserved areas, increasing cost-effectiveness, efficiently delivering healthcare service, and broadening the opportunity to receive secondary opinions. However, telehealth compliance is tricky and varies state to state. In addition to state laws, telehealth is also subject to federal reimbursement, patient privacy and confidentiality laws. During the COVID-19 pandemic, federal enforcement of these federal regulations were eased in order to allow audio-only telehealth services.
Office for Civil Rights Telehealth Notification
In March 2020, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Telehealth Notification to assist the health care industry’s response to the COVID-19 public health emergency and quickly expand the use of remote health care services. OCR is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules. The Telehealth Notification allowed covered health care providers to use any available non-public facing remote communication technologies for telehealth, even when those technologies, and the manner in which they were used, did not fully comply with HIPAA. This included telehealth offered through audio-only means. Audio-only telehealth is the delivery of health care services through the use of audio-only technology, permitting real-time communication between the patient and the provider.
While the COVID-19 public health emergency declaration was recently renewed, there have been a lot of questions about what happens once OCR’s Telehealth Notification is no longer in effect. Now OCR has provided guidance on this subject.
How the HIPAA Rules Permit Remote Communication Technologies for Audio-Only Telehealth
The guidance issued by OCR clarified that covered entities can use audio-only services when OCR’s Telehealth Notification is no longer in effect, but must be in compliance with the HIPAA Privacy and Security Rules as follows:
Privacy Rule Requirements
Covered entities must provide telehealth services in private settings to the extent feasible. If telehealth services cannot be provided in a private setting, health care providers must still implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental disclosures of private health information (PHI). If the individual is not known to the covered entity, the entity must verify the identity of the individual either orally or in writing (including electronic methods). HIPAA rules do not mandate a specific way to verify the identity of a person.
Security Rule Requirements
When using a standard telephone line, no additional security rule requirements apply. However, when using electronic communication technologies such as VoIP, Internet, intra- and extranets, cellular, and Wi-Fi, several factors must be considered. First, potential risks and vulnerabilities to electronic PHI need to be identified, assessed, and addressed as part of the risk analysis and risk management processes. However, the provider is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or device, regardless of the type of phone system they are using. Additionally, a business associate agreement (BAA) with a telecommunication service provider (TSP) is required when the TSP vendor is acting as a business associate. An example of this would include using a smartphone app offered by a provider that stores PHI (e.g., recordings, transcripts) in the developer’s cloud infrastructure. A BAA is not required, however, with a TSP that has only transient access to the PHI it transmits. Meaning it does not store or record any of the conversation.
When Will Change Happen?
While there is currently no date set for the expiration of OCR’s Telehealth Notification, covered health care providers should prepare in advance if they are currently using remote communication technologies for telehealth by reviewing current methods of telecommunication, HIPAA risk analysis, and risk management processes. Read the full HHS OCR guidance.
At ByrdAdatto we are working hard to ensure our clients are up to date with the latest regulation and rule changes in order to maintain compliance. If you have questions regarding this alert, email us at firstname.lastname@example.org or call 214.291.3200.
We are grateful for the significant research and drafting contribution to this article from our Law Clerk, Clint Nuckolls. Clint is a second year student at SMU Dedman School of Law.