HIPAA Rules Now Permit Audio-Only Telehealth
June 16, 2022
By: William Lewis and Alaina N. Crislip
On June 13, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced new guidelines clarifying how audio-only telemedicine can comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules).[1] These guidelines were announced in response to Executive Order 14058, issued on December 13, 2021, which instructed the HHS to develop guidance for telehealth “to improve patient experience and convenience following the end of the COVID-19 public health emergency.”[2] This Order emerged as a direct successor to the original Notification of Enforcement Discretion for Telehealth from March 17, 2020, which is scheduled to expire with the conclusion of the COVID-19 national emergency.[3]
As part of the new guidelines, and in opposition to the original 2020 Notification, the OCR appears to have restricted the enforcement discretion that has been provided to health care providers during the pandemic. Whereas the 2020 Notification waived potential penalties for HIPAA violations that occurred during a good faith telehealth interaction, the new guidelines do not afford this same degree of protection for audio-only telehealth services. Instead, full compliance with HIPAA Rules is now expected, and the OCR has provided guidance for healthcare providers to follow once the 2020 Notification is no longer in effect:
- Under the HIPAA Privacy Rule, remote communication technologies, including audio-only services, are permitted to provide telehealth services. For this, providers are required to apply reasonable safeguards to limit incidental uses or disclosures of protected health information (PHI). These measures include, but are not limited to, providing telehealth services in a private setting when feasible and, when this is not possible, using lowered voices (and not a speakerphone) when communicating in shared spaces. Furthermore, providers are required to identify the patient either orally or in writing (electronic means are permitted).
- For the transfer of electronic PHI (ePHI), providers must follow the guidance established by the HIPAA Security Rule when using electronic communication technologies (ex. communication apps on smartphones, transcription technologies, and messaging services that store audio messages). This Security Rule does not apply when using traditional landline communications however, because the information transmitted is not electronic.
- In relation to the transmission of ePHI, an individual is not required to use a specific telephone system when receiving telehealth services. They may use whichever system they choose.
- The telehealth service provider is not required to have a business associate agreement (BAA) with a telecommunication service provider (TSP) unless the TSP is creating, receiving, or maintain PHI on behalf of the entity. A BAA would be required between the healthcare provider and TSP if the TSP requires access on a routine basis to the PHI it transmits in calls, however. In sum, an entity must only enter into a BAA with a vendor when the TSP is more than a mere conduit for PHI transmission.
If you have any further questions concerning telehealth and HIPAA, please contact Jackson Kelly and a responsible attorney.
[1] U.S. Department of Health & Human Services Office for Civil Rights, Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth (Jun. 13, 2022).
[2] E.O. 14058, 86 FR 71357 (Dec. 16, 2021).
[3] U.S. Department of Health & Human Services Office for Civil Rights, OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 17, 2020); see also U.S. Department of Health & Human Services Office for Civil Rights, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Jan. 20, 2021).