Today a doctor’s “call list” includes telephone calls (via cell and/or landlines), video conferences, and messaging through a variety of apps, or email. There’s been an explosion of ways to communicate and yet HIPAA still matters.
If you use telehealth, it’s time to review what you’re doing to make sure you’re ready when the telehealth HIPAA flexibilities stop. For the past fifteen months the HHS’ Office for Civil Rights (OCR) has applied relaxed rules around HIPAA enforcement related to telehealth because of the Covid-19 Public Health Emergency (PHE). But the PHE is not permanent, and when it ends, so do the relaxed rules.
Audio-Only Telehealth is an Option
This week OCR issued new guidance on HIPAA and audio-only telehealth services. Although the headline only mentions audio telehealth, its FAQs are instructive for both audio and video, as they review the application of the Security Rule and the need for a business associate agreement, while using telehealth generally.
OCR Director Lisa J. Pino said:
“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.”
Background of Telehealth During the Pandemic
To help prevent the spread of Covid-19, OCR announced in March, 2020 that it would temporarily exercise enforcement discretion and would not impose sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services.
OCR permitted the use of remote communication tools for telehealth, including apps and platforms that would not normally be considered HIPAA compliant, and did not require HIPAA covered entities to enter into a business associate agreement with vendors of these communication tools. The notice of enforcement discretion stated that it would last for the duration of the PHE.
After the PHE ends the continued use of remote communication technologies could potentially violate HIPAA and could lead to financial penalties and other remedies.
Telehealth Today and in the Future
Telehealth has been a great benefit to patients and providers and is here to stay. But since the technology is still relatively new, and security issues remain, OCR seems to be sending a signal that more work needs to be done on security, and audio-only may be a more secure alternative.
In the new guidance, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but covered entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.
The Security Rule May Apply
When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”
When these technologies are used, the HIPAA Security Rule requires safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s Risk Analysis and Risk Management. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is needed to identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis.
A Business Associate Agreement May be Required to Support Telehealth
Business associates are vendors (to a covered entity) that “create, receive, maintain or transmit” protected health information, while performing a service involving the PHI. Business associates are governed by HIPAA and are required to enter into a business associate agreement (BAA) with any covered entity for whom they provide services.
When it comes to audio-only telehealth, the following examples illustrate when BAAs are required.
Example when a BAA is not required:
- Between a covered entity and a telecommunication service provider* (TSP) if the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call.
Examples when a BAA is required:
- When a covered entity provider uses a smartphone app that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI. Because it is not merely a conduit for transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.
- A covered entity provider needs a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency, because the app is creating and receiving PHI, and therefore the developer is a business associate.
The HIPAA E-Tool® Stays Up to Date
Everything you need to stay on top of your HIPAA responsibilities is at your fingertips in The HIPAA E-Tool®. We stay current so you don’t have to.
* TSPs are companies that provide voice and/or data transmission services, such as Internet Service Providers (ISPs), telecommunication carriers, and wireless carriers.