In March 2020, the HHS’ Office for Civil Rights (OCR) issued a Telehealth Notification that included a notice of enforcement discretion regarding the use of remote communication technologies for providing telehealth services during the COVID-19 public health emergency (PHE) to expand the provision of telehealth services and help control COVID-19 infections.
During the pandemic, many healthcare providers started providing telehealth services through remote communication technologies that would not normally be considered HIPAA compliant. When the PHE is declared over, the notice of enforcement discretion will end, which will leave healthcare providers and health plans at risk of financial penalties if the HIPAA Rules are violated, even in relation to the good faith provision of telehealth services.
Ahead of the declaration by the Secretary of the HSS that the PHE is over, OCR has issued new guidance that explains how HIPAA applies to audio-only telehealth services, when those services fall outside of the HIPAA Security Rule, when HIPAA Security Rule safeguards are required to ensure the confidentiality, integrity, and availability of ePHI, and when business associate agreements must be signed with vendors that provide communication technologies.
“This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information,” explained OCR in the announcement.
Many people rely on telehealth services, especially those living in remote rural areas where the nearest healthcare provider may be many miles away. Individuals with disabilities take advantage of telehealth to get easy access to healthcare. Some individuals may, however, be unable to access technologies used for audio-video telehealth for a variety of reasons, including lacking the financial resources, poor Internet access, availability of sufficient broadband, and cell coverage in their geographic area. Audio-only telehealth, especially when delivered using technologies that do not require broadband availability, can help address the needs of some of these individuals.
There are, however, HIPAA considerations. The HIPAA Security Rule does not apply when audio-only telehealth is provided via a landline, but the HIPAA Security Rule does apply when other technologies are used, including mobile apps, cellular and Wi-Fi networks, the Internet, intra- and extranets, and communication technologies such as Voice over Internet Protocol (VoIP). “Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule,” explained OCR in the guidance.
The guidance also addresses when business associate agreements (BAAs) are required. A BAA is not required with a telecommunication service provider for telehealth services, other than when they are acting as a business associate, because they act as a conduit through which ePHI is transferred and do not create, receive, or maintain any ePHI from the session and only connect the call.
A BAA is required when the service provider is more than a conduit and stores any ePHI, such as within the vendor’s cloud infrastructure for later use. For instance, when a smartphone app is used that translates oral communications to another language to provide meaningful access to individuals with limited English proficiency, a BAA is required.
With the declaration that the PHE is over likely to be just around the corner, all HIPAA-regulated entities that provide telehealth services should consult the latest OCR guidance.