OCR Publishes Guidance on Audio-Only Telehealth After the COVID Public Health Emergency is Over

Begin planning now and be sure that your telehealth services are HIPAA compliant because as soon as the COVID-19 Public Health Emergency (PHE) ends, so do all telehealth HIPAA flexibilities. In relation to this, the Department of Health and Human Services’ Office for Civil Rights published new guidance regarding HIPAA and audio-only telehealth services.

The Ending of the Period of Enforcement Discretion

The HHS’ Office for Civil Rights released in March 2020 a Telehealth Advisory that it would be implementing enforcement discretion. That means it won’t enforce sanctions and fines for HIPAA violations with regard to providing telehealth services in good faith. The action was supposed to make it less difficult for healthcare companies to provide telehealth services to individuals to help stop passing on COVID-19.

OCR allowed healthcare companies to employ remote communication resources for telehealth, including applications and websites that wouldn’t typically be regarded as ‘HIPAA-compliant,’ and didn’t call for HIPAA-covered entities to sign a business associate agreement with the companies offering remote communication solutions. The notification of enforcement discretion mentioned that it continued throughout the PHE. If the Secretary of the HHS announces there’s no more COVID-19 PHE, or when the declared PHE expires, whichever comes first, the ending of the period of enforcement discretion follows. If entities continue to use remote communication tools, they could possibly violate the HIPAA Rules. That could result to financial fines and other remedies to take care of the HIPAA violations.

In the latest guidance on HIPAA and audio-only telehealth entitled Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth, OCR makes clear the conditions when audio-only telehealth is allowed as per HIPAA. OCR affirmed that telehealth services are allowed under HIPAA, however, HIPAA-regulated entities must implement acceptable safety measures to secure protected health information (PHI) privacy, for example, making sure that telehealth services are used in private settings, and utilizing reduced voices to lessen the possibilities for incidental PHI disclosures. It is additionally required to confirm the identification of the patient, verbally or on paper.

The Application of the HIPAA Security Rule on Telehealth

The HIPAA Security Rule could be applicable to telehealth. Whenever offering audio-only telehealth services using regular phone lines (landlines), the HIPAA Security Rule is not applicable because the data transmitted isn’t digital. The HIPAA Security Rule applies whenever digital communication systems are employed, such as “Voice over Internet Protocol (VoIP) and mobile systems that utilize electronic media, i.e. the Internet, extra-, and intranets, Wi-Fi and cellular.

If these technologies are employed, the HIPAA Security Rule demands the implementation of safety measures to protect the confidentiality, availability, and integrity of electronic PHI (ePHI). Risks and vulnerabilities should be determined, evaluated, and dealt with together with a covered entity’s risk evaluation and management procedures. OCR states that because of the pace at which communication systems develop, a strong inventory and asset administration procedure is advised to spot such technologies and the IT systems that utilize them. This will aid in ensuring a precise and comprehensive risk evaluation.

The Requirement for Business Associate Agreements

Any vendor that gets ePHI access, or views ePHI, must sign a business associate agreement (BAA) with an entity covered by HIPAA. Companies that provide platforms for telehealth may be required to sign BAAs. A BAA is simply necessary if a telecommunication service provider (TSP) is serving as a business associate.

If the TSP has merely transient access to the PHI being transmitted, the HIPAA conduit exception can be applied. If the TSP is not generating, receiving, or retaining PHI for the covered entity, and the TSP doesn’t get regular access to the PHI being transmitted in the call, there is no business associate relationship. For that reason, a BAA is not required.

A BAA is mandatory if a TSP is not just a conduit or not just offering data transmission services. If it is either generating, receiving, or retaining ePHI, a BAA is mandatory before using the service. That is applicable to remote communication systems, mobile applications, and Internet and cloud solutions.

Audio telehealth plays an important part in reaching patients based in rural communities, people with handicaps, and others wanting the ease of remote solutions. This guidance clarifies how the HIPAA Rules enable health care organizations and plans to provide audio telehealth and at the same time protect the privacy and security of the health information of individuals.