The Health Insurance Portability and Accountability Act (HIPAA) Rules permit HIPAA-covered entities to use remote communication technologies for providing telehealth services to patients. In March 2020, OCR issued a Telehealth Notification in response to the COVID-19 public health emergency to facilitate a rapid expansion in remote health care services. Telehealth services proved to be invaluable in the fight against COVID-19 and are relied upon by individuals in remote communities and those with disabilities for accessing medical services.
In the Telehealth Notification, OCR explained that it would be exercising enforcement discretion for the duration of the public health emergency and would not be imposing penalties on healthcare providers for noncompliance with the HIPAA Rules with respect to the good faith provision of telehealth services. Covered healthcare providers were permitted to use non-public facing remote communication technologies for telehealth services that would, under normal circumstances, not be compliant with the HIPAA Rules.
OCR has issued new guidance on the provision of audio-only telehealth services ahead of the declaration of the Secretary of the HHS that the COVID-19 public health emergency no longer exists, to ensure that telehealth services can continue to be provided in a manner that complies with the HIPAA Rules. Once the public health emergency is declared over, enforcement discretion will come to an end.
HIPAA and Telephone Provision of Audio-only Telehealth
In the guidance, OCR confirms that audio-only telehealth services can be provided under certain circumstances and that the HIPAA Security Rule does not apply to audio-only telehealth services provided through standard telephone lines (landlines). The HIPAA Security Rule does apply if other technologies are used, such as if audio-only telehealth services are provided over the Internet, intranets and extranets, using cellular networks, Wi-Fi, and Voice over Internet Protocol (VoIP). If any of these methods are used, the HIPAA Security Rule safeguards must be applied to those technologies. That means that potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes prior to using such technologies.
HIPAA, Audio-only Telehealth, and Business Associate Agreements
A business associate agreement is not needed with telecommunication service providers (TSPs) that only have transient access to any PHI transmitted, only when a TSP is acting as a business associate. TSPs fall under the HIPAA conduit exception, as PHI transmitted through the network is not routinely accessed when a call is transmitted. OCR explained that this also applies to certain smartphone telehealth calls. “ A covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a BAA between the covered health care provider and the TSP, where the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call.”
Business associate agreements are required when PHI is stored by the vendor, as the vendor is more than a mere conduit. That means that if a smartphone app is used, or if recordings of calls are stored in a service provider’s cloud environment for the provider’s later use, business associate agreements are required.
Remote Communication Technologies, Audio-only Telehealth when Health Plans do not Provide Coverage
OCR has also confirmed that audio-only telehealth services using remote communication technologies can be provided if they are consistent with the requirements of the HIPAA Rules, irrespective of whether any health plan covers or pays for those services. Health plan coverage and payment policies issues may exist, but they are not HIPAA compliance issues.
The guidance is available on the HHS website on this link, and further resources are provided on the page where further information on HIPAA and the provision of telehealth services by covered healthcare providers and health plans can be found.