HHS Addresses HIPAA Compliance and Audio-Only Telehealth Services | Practical Law

HHS Addresses HIPAA Compliance and Audio-Only Telehealth Services | Practical Law

The Department of Health and Human Services (HHS) has issued guidance on how health providers and health plans, as covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), can use remote communication technologies to provide audio-only telehealth services in compliance with HIPAA.

HHS Addresses HIPAA Compliance and Audio-Only Telehealth Services

Practical Law Legal Update w-035-8936 (Approx. 7 pages)

HHS Addresses HIPAA Compliance and Audio-Only Telehealth Services

by Practical Law Employee Benefits & Executive Compensation
Published on 14 Jun 2022USA (National/Federal)
The Department of Health and Human Services (HHS) has issued guidance on how health providers and health plans, as covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), can use remote communication technologies to provide audio-only telehealth services in compliance with HIPAA.
HHS's Office for Civil Rights (OCR) has issued guidance addressing how health providers and health plans (as HIPAA covered entities (CEs)) can use remote communication technologies to provide audio-only telehealth services consistent with HIPAA (Audio-Only Telehealth Services Guidance (June 13, 2022)). The guidance, which encompasses HIPAA's Privacy, Security, and Breach Notification Rules (collectively, HIPAA Rules), applies now and after expiration of a related HHS telehealth notice issued early on in the COVID-19 pandemic.
For more information on compliance with the HIPAA Rules, see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, COVID-19 Compliance for Health and Welfare Plans: HIPAA Privacy and Related Issues.

Telehealth Notice Issued at Start of COVID-19 Pandemic

As background, HHS issued a telehealth notice in March 2020 to promote the use of remote health care services in response to COVID-19 (Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide PHE (85 Fed. Reg. 22024 (Apr. 21, 2020)); see Practice Note, Telehealth Coverage and Reimbursement: Reimbursement of Telehealth During COVID-19). Under HHS's telehealth notice, the agency did not impose penalties on CE/health providers for noncompliance with the HIPAA Rules regarding the good faith provision of telehealth using non-public facing audio or video remote communication technologies during the COVID-19 public health emergency (PHE). As a result, providers could use these technologies for telehealth even if the technologies were not fully compliant with the HIPAA Rules. The telehealth notice will remain in effect until HHS declares that the COVID-19 PHE no longer exists (or, if earlier, the expiration date of the declared PHE).

HIPAA Privacy Rule Compliance and Audio-Only Telehealth Services

HHS's June 2022 guidance addresses when and how health plans and health providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with HIPAA's Privacy Rule (see Practice Note, HIPAA Privacy Rule). Under the Privacy Rule, CEs must apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services. For example, HHS's guidance notes that providers must:
  • Deliver telehealth services in private settings if feasible.
  • Adopt reasonable safeguards to limit incidental uses or disclosures of PHI if telehealth services cannot be provided in a private setting (for example, if a provider shares an office with another person). These safeguards may include using lowered voices and not using speakerphone.

Identity Verification

Under HHS's guidance, a CE that does not know an individual's identity must verify the individual's identity orally or in writing, which may include using electronic methods. HHS recognized in this regard that the HIPAA Rules do not impose specific requirements on how to verify an individual's identity. However, under laws such as the Affordable Care Act's (ACA's) Section 1557 rules, communications with individuals with disabilities generally must be as effective as communications with others (see Article, Nondiscrimination in Health Programs and Activities Under the ACA (Section 1557): Effective Communication for Individuals with Disabilities). As a result, CEs may need to provide appropriate auxiliary aids and services for disabled individuals or language assistance services for individuals who cannot speak English.

HIPAA Security Rule and Audio-Only Telehealth Services

Besides Privacy Rule issues, CEs must consider potential HIPAA Security Rule implications when using remote communication technologies to provide audio-only telehealth services (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards). HHS's guidance addresses these considerations. HIPAA's Security Rule governs electronic PHI (ePHI) (that is, PHI transmitted by—or maintained in—electronic media). As a result, HHS's guidance clarifies that the Security Rule does not apply to audio-only telehealth services furnished by a CE via a traditional landline telephone, because the transmitted information is not electronic.
However, HHS noted that the Security Rule applies if a CE uses electronic communication technologies for remote exchanges. Accordingly, CEs that use telephone systems to transmit ePHI must comply with the HIPAA Security Rule as to those technologies, which may include:
  • Voice over Internet Protocol (VoIP) technologies.
  • Mobile technologies that use electronic media (such as internet, intra- and extranets, cellular, and Wi-Fi).
Security Rule compliance also may be required for remote communications using:
  • Communication apps on a smartphone or other device.
  • Technologies that electronically record or transcribe a telehealth session.
  • Messaging services that electronically store audio messages.
Under HHS's guidance, however, CEs are not responsible for the privacy or security of individuals' health information after it is received by the individual's phone or other device.

Security Rule Risk Analyses and Risk Management Processes

Under HHS's guidance, a CE's risk analyses and risk management processes (both of which are Security Rule safeguards) must identify, assess, and address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using electronic communication technologies for remote communications (see Practice Note, HIPAA Security Rule: Security Management Process).
A CE's risk analysis and risk management should therefore consider whether:
  • A transmission could be intercepted by an unauthorized third party.
  • The remote communication technology being used supports encrypted transmissions.
  • There is a risk that ePHI created or stored as a result of a telehealth session (for example, session recordings or transcripts) could be accessed by an unauthorized third party.
  • Encryption could be used to secure recordings or transcripts of telehealth sessions after they are created or stored.
  • Authentication is required to access the device or app where ePHI from a telehealth session may be stored.
  • A device or app automatically terminates the session or locks after a period of inactivity.
HHS also observed that communication technologies (for example, networks, devices, and apps) tend to change rapidly over time. As a result, rigorous inventory and asset management procedures under the Security Rule can help CEs identify these technologies and the information systems that use the technologies. In turn, this supports accurate and complete risk analyses under the Security Rule.

HIPAA Compliance and Health Plan Coverage for Audio-Only Telehealth Services

HHS takes the view in its guidance that CE/health providers may offer audio-only telehealth services using remote communication technologies consistent with the HIPAA Rules even if a participant's health plan does not cover or reimburse those services. According to HHS, health plan coverage and payment questions involving health care services delivered using telehealth are distinct questions from HIPAA compliance (and only the latter is addressed in this HHS guidance).

Business Associate Considerations for Audio-Only Telehealth Services

HHS's guidance also addresses business associate (BA) issues regarding audio-only telehealth services. The guidance clarifies that health plans and providers will sometimes need a BA agreement (BAA) in place with vendors in order to conduct audio-only telehealth using remote communication technologies (see Standard Document, HIPAA Business Associate Agreement). As a general rule, CEs are only required to enter into a BA agreement with a telecommunication service provider (TSP) when the vendor acts as a BA—which depends on whether the vendor is serving as merely a conduit or something more.

Vendors That Are Merely Conduits

A CE that uses a telephone to communicate with participants/patients need not have a BAA in place with a TSP/vendor that has only transient access to the PHI it transmits. This is because the vendor is acting merely as a conduit for the PHI. No BA relationship is established if the TSP does not:
  • Also create, receive, or maintain PHI on a CE's behalf.
  • Require access on a routine basis to the PHI it transmits in the call.
As a result, no BAA is necessary. For example, no BAA is needed between a CE/health provider and TSP when:
  • A provider conducts an audio-only telehealth session with a patient using a smartphone.
  • The TSP does not create, receive, or maintain any PHI from the session and is merely connecting the call.

Vendors That Are More Than Mere Conduits

By contrast, CEs must enter into BAAs with vendors that are more than mere conduits. For example, assume that a provider performs audio-only telehealth sessions with patients using a smartphone app that stores recordings and transcripts (both PHI) in the app developer's cloud infrastructure for the provider's later use. In this situation, according to HHS, the provider must enter into a BAA with the app developer before it can use the app with patients. This is because the app provides more than data transmission services—it is also creating, receiving, and maintaining PHI.

Practical Impact

Although geared to health providers, HHS's latest telehealth guidance will also be of interest to health plans—particularly regarding the BA implications of contracting with telecommunication service providers and the applicability of the conduit exception. (For more information, see Practice Note, HIPAA Business Associates and Cloud Computing: Limited Availability of Conduit Exception Regarding Cloud Service Providers.) As HHS's guidance makes clear, expanded reliance on telehealth services comes with additional compliance considerations that may somewhat offset the cost-savings typically associated with these services.